Opened 10 years ago

Closed 10 years ago

#2460 enhancement closed fixed (fixed)

HTTPAuthResource doesn't provide any way to support anonymous access.

Reported by: David Reid Owned by:
Priority: highest Milestone:
Component: web2 Keywords:
Cc: therve Branch:
Author:

Description

I think in the absence of an Authorization header portal.login should be called with twisted.cred.credentials.Anonymous, in the case where anonymous access is not allowed (i.e. no checker registered for the IAnonymous credentials interface) portal.login will errback and an unauthorized response will be sent. Otherwise requestAvatar on the realm will be called normally.

This will also require a mechanism for resources below the HTTPAuthResource to trigger authentication at anypoint when the Anonymous credentials prove insufficient. This could be a method on the IAuthenticatedRequest, perhaps IAuthenticatedRequest.reauthenticate()

Change History (9)

comment:1 Changed 10 years ago by David Reid

Priority: normalhighest
Status: newassigned

source:branches/web2-anon-auth-2460

comment:2 Changed 10 years ago by David Reid

Keywords: review added
Owner: David Reid deleted
Priority: highesthigh
Status: assignednew

This branch passes credentials.Anonymous to portal.login if it no header is given. And adds a response filter that will add WWW-Authenticate headers to any UNAUTHORIZED responses that don't have them. So triggering re authentication is as easy as raise HTTPError(401).

comment:3 Changed 10 years ago by David Reid

Priority: highhighest

comment:4 Changed 10 years ago by therve

Cc: therve added
Keywords: review removed
Owner: set to David Reid

Looks very good. renderHTTP and locateChild miss docstrings in HTTPAuthResource, apart from that I think this is good to merge.

comment:5 Changed 10 years ago by David Reid

Keywords: review added
Owner: changed from David Reid to therve

I added the docstring for renderHTTP and locateChild. While writing the docstring for renderHTTP it dawned on me that renderHTTP's behavior was incorrect. So I added a test for the proper behavior (it should call renderHTTP on the protected resource), and changed it's behavior to pass the test. I don't think renderHTTP is ever meant to be called, but better safe than sorry.

-David

comment:6 Changed 10 years ago by therve

Keywords: review removed
Owner: changed from therve to David Reid

Alright, but why locateChild didn't get the same treatment ? It seems it ends up the same, that's just to clarify it for me.

But it's a detail, please merge.

comment:7 Changed 10 years ago by David Reid

To answer your question, the return value of locateChild is a resource and a sequence of path segments. If segments isn't empty, the resource gets it's locateChild called.

comment:8 Changed 10 years ago by David Reid

Resolution: fixed
Status: newclosed

(In [19764]) Merge web2-anon-auth-2460

Author: dreid Reviewer: therve Fixes #2460

Add support for anonymous authentication with the HTTPAuthResource. HTTPAuthResource will attempt to authenticate with ANONYMOUS credentials if no Authorization header is given. If the portal has an AllowAnonymousAccess checker registered with it then this will succeed.

If at any time an HTTPError is raised with an UNAUTHORIZED status code HTTPAuthResource will add WWW-Authenticate headers based on it's current configuration (if the WWW-Authenticate header is absent)

comment:9 Changed 6 years ago by <automation>

Owner: David Reid deleted
Note: See TracTickets for help on using tickets.