[Twisted-Python] Something strange about cred

David Reid dreid at dreid.org
Fri Feb 9 11:19:38 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Feb 9, 2007, at 3:24 AM, Phil Mayers wrote:

> David Reid wrote:
>>> Death to HTTP digest authentication!
>> I don't know, I definitely prefer digest authentication[1] to sending
>> my password in plaintext[2]
>
> +1
>
> web2 auth is a much better architecture.
>
> I only spent a few hours looking at it (primarily looking at how  
> Apples CalDAV server implemented SPNEGO - very neat)

The way Apple's CalDAV server uses web2 auth is kind of broken,  
please don't use it as an example of how to use cred.  It does some  
very poor things because sometimes I'm an idiot.

> but it seemed to me that it could issue multiple WWW-Authenticate  
> headers and the browser should pick and reply to the appropriate one.

This is correct.

>
> Was my understanding correct? If so, why did the digest checker  
> cause this?

The problem wasn't with a Digest checker it was with the lack of a  
checker for the IUsernameHashedPassword credential interface.  You  
still need to have a checker that implements the interface of  
whatever you are getting back from ICredentialFactory.decode.  In  
basic this is IUsernamePassword, for digest this is  
IUsernameHashedPassword.

- --
David Reid
http://dreid.org/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFzJ8frsrO6aeULcgRAmFUAJ4h2KV3NJzvC0E+tQwqLLjwrKxBdgCfZqNf
Jcj7qrA1eYMrxPNQpaZp6/w=
=uGwz
-----END PGP SIGNATURE-----




More information about the Twisted-Python mailing list