[Twisted-Python] htpasswd / HTTP basic auth example
Andrew Bennetts
andrew-twisted at puzzling.org
Mon Jul 21 05:03:43 MDT 2003
On Mon, Jul 21, 2003 at 05:36:49AM -0500, Glyph Lefkowitz wrote:
> On Sunday, July 20, 2003, at 08:27 PM, Andrew Bennetts wrote:
>
> >This reminds me -- I wrote a simple resource wrapper recently that
> >provides HTTP basic auth, reading from a htpasswd(1) file [currently it
> >only supports crypt'ed passwords, not MD5]. This doesn't use guard (or
> >even newcred) at all, although it probably should.
>
> Actually, it ought to use newcred and be a part of guard. HTTP auth is
> really a funky way of establishing a session. It works totally
> differently from guard's SessionWrapper, but you get the same effect -
> this implementation detail would ideally be specified by some kind of
> configuration rather than by the application author directly, but, uh
> ... coil :).
>
> In short, if someone is going to enhance this to support newcred, don't
> get too hung up on the way the existing woven.guard stuff works :).
For what it's worth, I originally *tried* to implement this with
newcred/guard, and couldn't figure out how. I seem to recall that a large
stumbling block was UsernamePasswordWrapper not being useful if you are
trying to compare against *hashed* passwords;
IUsernamePassword.checkPassword assumes you have the cleartext to validate
against. In hindsight, I probably didn't want SessionWrapper, either,
because I didn't want sessions (just simple "you can/cannot access this
resource and its children").
I didn't need massive flexibility for my particular use-case (which was
emulating Apache's .htpasswd functionality), so I just did it the simplest
way I could, ignoring the existing infrastructure. I think I have to agree
with Moshe -- the existing guard stuff is too large and/or too difficult for
an uninitiated developer to work with.
-Andrew.
More information about the Twisted-Python
mailing list