[Twisted-web] Sessions and Authentication for Web2
Jean-Paul Calderone
exarkun at divmod.com
Sat Nov 19 18:41:58 MST 2005
On Sat, 19 Nov 2005 23:00:31 +0000, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>David Reid wrote:
>>
>>But in Basic and Digest auth you don't have the username until you get
>>the response to your challenge. So this is where IAuthorizer comes in
>>it handles all the steps prior to having something that you can use to
>>build a credentials.
>
>I'm no cred expert, and I dislike it conceptually, but as far as I can tell
>it's got all the facilities it needs. HTTP is slightly more complex so I'll
>start with a SASL-ised imap-like example, to see if I've got the right idea:
>
> [snip - cool example protocol with cred integration]
>
>HTTP is a bit of a pain because of the "connectionless" basis. The RFCs for
>the hacky mechanisms like "Negotiate" (the MS-ism for kerberos over HTTP)
>and such show that. Digest would want some kind of stateless version -
>you're effectively authenticating requests as opposed to the connection, but
>the basic principle is the same. I'm sure you know all this.
>
>So am I missing something? It looks like cred needs no extending?
Nope. You're dead on. Cred can do everything necessary to handle Digest auth as-is. Digest auth isn't even the most complex scheme it supports.
I wrote the attached quick example of authentication that involves repeated challenges and per-user private authentication-required state. It is mainly the same as your example, with the addition of support for a kind of credential that requires cooperation from both the authentication database and the protocol.
Jean-Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: supercred.py
Type: text/x-python
Size: 6156 bytes
Desc: not available
Url : http://twistedmatrix.com/pipermail/twisted-web/attachments/20051119/b7b0eaa0/supercred.py
More information about the Twisted-web
mailing list