[Twisted-Python] HTTP Authentication Example for review

David McCurley David.McCurley at technologist.com
Wed Jul 16 13:00:26 MDT 2003 

Below is some example code I've been using to restrict access to certain
parts of my site to only the users I want.  I've started simple with
hard coded user/pwd stuff and tried to make a clean example for others
to look at to verify this looks to be a correct approach with twisted. 
Please take a look and give me some feedback.  Know a better way? See
any holes? Maybe I should be looking and doing something to the protocol
stuff instead of the resource approach?

This resource is intented to be plugged into part of the resource tree
and guard everything below it.  It could be at the root or somewhere
below.

Note that in production, user accounts will be associated with groups,
and allowed paths can be attached to users and/or groups.  I'm going to
implement this after I have covered the basics.

The one thing so far that I don't like (ref MyGuard) is that it looks
like I have to do checks in the following methods (at least):

render()
getChild()
getChildWithDefault()
getChildForRequest()



Example code:
=============================

class MyAuth(baseRes):
    isLeaf = True
    def __init__(self):
        baseRes.__init__(self)
    def render(self, request):
        request.setHeader('WWW-authenticate', 'Basic realm="%s"' %
("default",))
        errpage = error.ErrorPage(http.UNAUTHORIZED,"Unauthorized","401
Authentication required")
        return errpage.render(request)
    def getChild(self, name, request):
            return self
        
class MyGuard(baseRes):
    def __init__(self, userName="test", password="test"):
        baseRes.__init__(self)
        self.uName = userName
        self.pWord = password
        
    def render(self, request):
        auth = self.checkUser(request)
        if auth:
            return auth.render(request)
        return
"<html><head><title>MyGuard</title></head><body><h1>MyGuard</h1></body></html>"
            
    def getChild(self, name, request):
        auth = self.checkUser(request)
        if auth:
            return auth
        if name == '':
            return self
        return baseRes.getChild(self, name, request)
        
    def getChildWithDefault(self, path, request):
        auth = self.checkUser(request)
        if auth:
            return auth
        return baseRes.getChildWithDefault(self, path, request)
        
    def getChildForRequest(self, request):
        auth = self.checkUser(request)
        if auth:
            return auth
        return baseRes.getChildForRequest(self, request)
        
    def checkUser(self, request):
        if not request.getUser() or not request.getPassword():
            return MyAuth()
        else:
            user = request.getUser()
            pwd = request.getPassword()
        if user != self.uName or pwd != self.pWord:
            return MyAuth()
        else:
            return None
=============================

Thx!

More information about the Twisted-Python mailing list