Ticket #2460 enhancement closed fixed

Opened 7 years ago

Last modified 7 years ago

HTTPAuthResource doesn't provide any way to support anonymous access.

Reported by: dreid Owned by:
Priority: highest Milestone:
Component: web2 Keywords:
Cc: therve Branch:
Author: Launchpad Bug:


I think in the absence of an Authorization header portal.login should be called with twisted.cred.credentials.Anonymous, in the case where anonymous access is not allowed (i.e. no checker registered for the IAnonymous credentials interface) portal.login will errback and an unauthorized response will be sent. Otherwise requestAvatar on the realm will be called normally.

This will also require a mechanism for resources below the HTTPAuthResource to trigger authentication at anypoint when the Anonymous credentials prove insufficient. This could be a method on the IAuthenticatedRequest, perhaps IAuthenticatedRequest.reauthenticate()

Change History


Changed 7 years ago by dreid

  • priority changed from normal to highest
  • status changed from new to assigned


Changed 7 years ago by dreid

  • status changed from assigned to new
  • priority changed from highest to high
  • keywords review added
  • owner dreid deleted

This branch passes credentials.Anonymous to portal.login if it no header is given. And adds a response filter that will add WWW-Authenticate headers to any UNAUTHORIZED responses that don't have them. So triggering re authentication is as easy as raise HTTPError(401).


Changed 7 years ago by dreid

  • priority changed from high to highest


Changed 7 years ago by therve

  • cc therve added
  • keywords review removed
  • owner set to dreid

Looks very good. renderHTTP and locateChild miss docstrings in HTTPAuthResource, apart from that I think this is good to merge.


Changed 7 years ago by dreid

  • owner changed from dreid to therve
  • keywords review added

I added the docstring for renderHTTP and locateChild. While writing the docstring for renderHTTP it dawned on me that renderHTTP's behavior was incorrect. So I added a test for the proper behavior (it should call renderHTTP on the protected resource), and changed it's behavior to pass the test. I don't think renderHTTP is ever meant to be called, but better safe than sorry.



Changed 7 years ago by therve

  • owner changed from therve to dreid
  • keywords review removed

Alright, but why locateChild didn't get the same treatment ? It seems it ends up the same, that's just to clarify it for me.

But it's a detail, please merge.


Changed 7 years ago by dreid

To answer your question, the return value of locateChild is a resource and a sequence of path segments. If segments isn't empty, the resource gets it's locateChild called.


Changed 7 years ago by dreid

  • status changed from new to closed
  • resolution set to fixed

(In [19764]) Merge web2-anon-auth-2460

Author: dreid Reviewer: therve Fixes #2460

Add support for anonymous authentication with the HTTPAuthResource. HTTPAuthResource will attempt to authenticate with ANONYMOUS credentials if no Authorization header is given. If the portal has an AllowAnonymousAccess checker registered with it then this will succeed.

If at any time an HTTPError is raised with an UNAUTHORIZED status code HTTPAuthResource will add WWW-Authenticate headers based on it's current configuration (if the WWW-Authenticate header is absent)


Changed 3 years ago by <automation>

  • owner dreid deleted
Note: See TracTickets for help on using tickets.