[spambayes-bugs] [ spambayes-Patches-791393 ] HTTP Authentication

SourceForge.net noreply at sourceforge.net
Sun Aug 31 08:40:23 EDT 2003


Patches item #791393, was opened at 2003-08-19 20:02
Message generated for change (Comment added) made by gfx
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=498105&aid=791393&group_id=61702

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Romain Guy (gfx)
Assigned to: Nobody/Anonymous (nobody)
Summary: HTTP Authentication

Initial Comment:
This patch closes Feature Request #791319.

This patch adds HTTP Authentication support to the
Dibbler HTTP server. There are four new methods which
can be overloaded (by default, no authentifcation is
required) :

requestAuthentication()
getRealm()
isValidUser()
getCancelMessage()

This patch works against current CVS release and does
include the remote connections one. The configuration
page now show three new options : enable/disable HTTP
authentication, user name and user password.

This is based on Basic HTTP Authentication and not on
Digest (MD5) one which is more secure (but more
complicated to implement, particularily in such a
simple web server). I guess that HTTP Authentication
and Remote connections management souhld be enough to
prevent the vast majority of security issues.

The attached zip contains diff and py files.

P.S : it is easy to mix this patch with the remote
connections one

----------------------------------------------------------------------

>Comment By: Romain Guy (gfx)
Date: 2003-08-31 16:40

Message:
Logged In: YES 
user_id=6845

It was much simpler than I originnaly thought. This is not a
complete Digest implementation since the patch does not take
care of the "opaque" value (this would have meant to keep
track of each visitor on the HTTP server). Yet, after having
read the RFC, I don't think it is worth the work. Anyway,
this patch allows encrypted authentication.

I've modified the configuration page so that the user can
choose between no authentication, basic (base64) and digest
(md5).

I've submitted two files : one containing the .py files and
the .diff files, and another one which is a context diff
with today's CVS code.

----------------------------------------------------------------------

Comment By: Romain Guy (gfx)
Date: 2003-08-31 02:00

Message:
Logged In: YES 
user_id=6845

I was not thinking of major structural changes, but to many
code additions, especially new instance members. We'll see
that tomorrow :)

P.S : concerning CVS, I use it for quite a long time, and I
was just afraid to run into conflicts (the way CVS merges
code is sometimes... surprising), I hate fixing this kind of
issues ;-)

----------------------------------------------------------------------

Comment By: Richie Hindle (richiehindle)
Date: 2003-08-31 01:51

Message:
Logged In: YES 
user_id=85414

Dibbler.py doesn't change much (it's only ever had three
edits!) so you shouldn't worry about huge conflicts.

That said, I've just checked in an edit to it before reading
this - you can't expect people not to touch it, but you
don't need to because CVS will cope with non-conflicting
edits.  Unless you're planning on changing it beyond all
recognition that is, in which case we really need to
discuss it first as you say - the reason it's barely changed
is that no-one's ever found a bug in it, and I wouldn't want
to jeopardise that.  Plus, adding authentication really
shouldn't require major restructuring work.


----------------------------------------------------------------------

Comment By: Romain Guy (gfx)
Date: 2003-08-31 01:38

Message:
Logged In: YES 
user_id=6845

I'll take care of this, counting from tomorrow. I expect
none of you to play with Dibbler.py during the next days,
since at first sight it might requires some important
changes to add Digest (MD5) authentication support.

Anyway, if I am not able to make it for the freeze, I guess
Basic support might still be enough for most users. After
all, if it is very easy to catch somebody's HTTP Basic
login/password couple by sniffing the network, it is even
easier to intercept one's POP3 login informations.

I'll try to do it, but think of keeping the authentication
Basic. As I said before, it might requires important changes
within the web server. I did not dig deep enough in HTTP
documentation yet, but as far as I know it might require the
Dibbler web server to keep a UID for each HTTP client.

I hope I'll be surprised by the ease of implementation. I'll
get back to you tomorrow evening to tell you wether
important changes are required or not. If they are, maybe it
will be a good idea to discuss about them since I don't know
what are your plans concerning the Dibbler code. I do not
want to mess up the code too much :-)

----------------------------------------------------------------------

Comment By: Richie Hindle (richiehindle)
Date: 2003-08-30 23:46

Message:
Logged In: YES 
user_id=85414

If you have the time to implement the more secure protocol,
please do - people might be reluctant to use the Basic
authentication.  (You should know that we're planning a
feature freeze fairly soon - probably sometime towards the
end of next week.  I don't know how long the freeze will 
last... a couple of weeks, perhaps?)


----------------------------------------------------------------------

Comment By: Romain Guy (gfx)
Date: 2003-08-30 16:03

Message:
Logged In: YES 
user_id=6845

I have some free time this week, should I add the Digest
authentication support (which, as said in patch description,
is based on a MD5 algorithm rather than a basic Base64 one) ?

----------------------------------------------------------------------

Comment By: Romain Guy (gfx)
Date: 2003-08-25 02:30

Message:
Logged In: YES 
user_id=6845

Here is the context diff you requested (made with the latest
sources from CVS).

----------------------------------------------------------------------

Comment By: Richie Hindle (richiehindle)
Date: 2003-08-24 23:38

Message:
Logged In: YES 
user_id=85414

Romain,

Many thanks for the patch, but would it be possible for you
to resubmit it as a context diff?  Plain diffs are difficult to
apply once the source has changed in CVS.  You should be
able to produce a single-file context diff using this command:

cvs diff -c

in the top-level spambayes directory.  (If you're using
WinCVS, you can run that command via "Admin / Command
line")


----------------------------------------------------------------------

Comment By: Romain Guy (gfx)
Date: 2003-08-20 14:31

Message:
Logged In: YES 
user_id=6845

Oops sorry, this patch DOES NOT include remote connections
one (nor the outlook express one).

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=498105&aid=791393&group_id=61702



More information about the Spambayes-bugs mailing list