[Twisted-Python] Something strange about cred

Stephen Waterbury stephen.c.waterbury at nasa.gov
Thu Feb 8 12:26:19 EST 2007


Stephen Waterbury wrote:
> Jean-Paul Calderone wrote:
>> On Thu, 08 Feb 2007 10:16:51 -0500, Stephen Waterbury 
>> <stephen.c.waterbury at nasa.gov> wrote:
>>> Here's a simple self-contained example of a database
>>> checker that's essentially identical to the one I
>>> use with my code which works with web but not with the web2
>>> auth example (i.e., httpauth.tac).  Perhaps someone familiar
>>> with cred and web2 could suggest how I might fix it?
>>>
>>> The only changes needed to make the web2 auth example
>>> use DbChecker instead of InMemoryUsernamePasswordDatabaseDontUse
>>> are (1) apply attached patch to httpauth.py, (2) drop dbchecker.py
>>> into the same directory.  The test_dbchecker.py script is just
>>> a simple test to show that DbChecker returns an AvatarId
>>> when given a credential with correct username and password
>>> values.
>>>
>>> TIA for any help with this.
>>>
>>
>> Hey Steve,
>>
>> Aside from the cred questions/issues you raised in the first email
>> (some of which I think are valid), I think the main problem you're
>> running into is that HTTP digest authentication is being used, but
>> the checker you wrote can't handle this: digest auth requires that
>> the checker be able to handle IUsernameHashedPassword credentials,
>> which yours doesn't.
>>
>> The reporting for this case could probably be improved.  If there is
>> no checker registered which can handle the kind of credentials being
>> used, it's probably a programming error, and the programmer should be
>> told about it.
>>
>> Jean-Paul
> 
> Thanks for the quick response, Jp!  I was under the impression that
> this was just a basic auth example -- so if the basic auth thingy
> is getting a plain text (uuencoded, same thing) password from the
> app, why would it hash it before it gives it to the checker?
> Auggh!  I can see the checker *storing* the password hashed
> (which my "production" checker does, using sha), but it seems to
> me pretty brain-dead to use hashed passwords over http when
> plaintext passwords over https are way, way more secure
> (and then all the checker has to deal with is plaintext passwds,
> which it can store hashed for extra security).

Well, that was an incorrect and non-sequitur reply on my part,
so apologies for that!

I still think HTTP digest authentication is not very useful,
but I do understand why web2 implements it, because it's part
of the spec.  No more griping, for now -- and I should say that
everything *else* about web2 looks great so far!  :)

Steve




More information about the Twisted-Python mailing list