[Twisted-Python] Something strange about cred

Stephen Waterbury stephen.c.waterbury at nasa.gov
Thu Feb 8 11:25:54 EST 2007


Jean-Paul Calderone wrote:
> On Thu, 08 Feb 2007 10:16:51 -0500, Stephen Waterbury 
> <stephen.c.waterbury at nasa.gov> wrote:
>> Here's a simple self-contained example of a database
>> checker that's essentially identical to the one I
>> use with my code which works with web but not with the web2
>> auth example (i.e., httpauth.tac).  Perhaps someone familiar
>> with cred and web2 could suggest how I might fix it?
>>
>> The only changes needed to make the web2 auth example
>> use DbChecker instead of InMemoryUsernamePasswordDatabaseDontUse
>> are (1) apply attached patch to httpauth.py, (2) drop dbchecker.py
>> into the same directory.  The test_dbchecker.py script is just
>> a simple test to show that DbChecker returns an AvatarId
>> when given a credential with correct username and password
>> values.
>>
>> TIA for any help with this.
>>
> 
> Hey Steve,
> 
> Aside from the cred questions/issues you raised in the first email
> (some of which I think are valid), I think the main problem you're
> running into is that HTTP digest authentication is being used, but
> the checker you wrote can't handle this: digest auth requires that
> the checker be able to handle IUsernameHashedPassword credentials,
> which yours doesn't.
> 
> The reporting for this case could probably be improved.  If there is
> no checker registered which can handle the kind of credentials being
> used, it's probably a programming error, and the programmer should be
> told about it.
> 
> Jean-Paul

Thanks for the quick response, Jp!  I was under the impression that
this was just a basic auth example -- so if the basic auth thingy
is getting a plain text (uuencoded, same thing) password from the
app, why would it hash it before it gives it to the checker?
Auggh!  I can see the checker *storing* the password hashed
(which my "production" checker does, using sha), but it seems to
me pretty brain-dead to use hashed passwords over http when
plaintext passwords over https are way, way more secure
(and then all the checker has to deal with is plaintext passwds,
which it can store hashed for extra security).

Steve




More information about the Twisted-Python mailing list