Opened 8 years ago

Closed 7 years ago

#2460 enhancement closed fixed (fixed)

HTTPAuthResource doesn't provide any way to support anonymous access.

Reported by: dreid Owned by:
Priority: highest Milestone:
Component: web2 Keywords:
Cc: therve Branch:
Author: Launchpad Bug:

Description

I think in the absence of an Authorization header portal.login should be called with twisted.cred.credentials.Anonymous, in the case where anonymous access is not allowed (i.e. no checker registered for the IAnonymous credentials interface) portal.login will errback and an unauthorized response will be sent. Otherwise requestAvatar on the realm will be called normally.

This will also require a mechanism for resources below the HTTPAuthResource to trigger authentication at anypoint when the Anonymous credentials prove insufficient. This could be a method on the IAuthenticatedRequest, perhaps IAuthenticatedRequest.reauthenticate()

Change History (9)

comment:1 Changed 8 years ago by dreid

  • Priority changed from normal to highest
  • Status changed from new to assigned

comment:2 Changed 8 years ago by dreid

  • Keywords review added
  • Owner dreid deleted
  • Priority changed from highest to high
  • Status changed from assigned to new

This branch passes credentials.Anonymous to portal.login if it no header is given. And adds a response filter that will add WWW-Authenticate headers to any UNAUTHORIZED responses that don't have them. So triggering re authentication is as easy as raise HTTPError(401).

comment:3 Changed 8 years ago by dreid

  • Priority changed from high to highest

comment:4 Changed 8 years ago by therve

  • Cc therve added
  • Keywords review removed
  • Owner set to dreid

Looks very good. renderHTTP and locateChild miss docstrings in HTTPAuthResource, apart from that I think this is good to merge.

comment:5 Changed 8 years ago by dreid

  • Keywords review added
  • Owner changed from dreid to therve

I added the docstring for renderHTTP and locateChild. While writing the docstring for renderHTTP it dawned on me that renderHTTP's behavior was incorrect. So I added a test for the proper behavior (it should call renderHTTP on the protected resource), and changed it's behavior to pass the test. I don't think renderHTTP is ever meant to be called, but better safe than sorry.

-David

comment:6 Changed 8 years ago by therve

  • Keywords review removed
  • Owner changed from therve to dreid

Alright, but why locateChild didn't get the same treatment ? It seems it ends up the same, that's just to clarify it for me.

But it's a detail, please merge.

comment:7 Changed 7 years ago by dreid

To answer your question, the return value of locateChild is a resource and a sequence of path segments. If segments isn't empty, the resource gets it's locateChild called.

comment:8 Changed 7 years ago by dreid

  • Resolution set to fixed
  • Status changed from new to closed

(In [19764]) Merge web2-anon-auth-2460

Author: dreid
Reviewer: therve
Fixes #2460

Add support for anonymous authentication with the HTTPAuthResource.
HTTPAuthResource will attempt to authenticate with ANONYMOUS credentials
if no Authorization header is given. If the portal has an AllowAnonymousAccess
checker registered with it then this will succeed.

If at any time an HTTPError is raised with an UNAUTHORIZED status code
HTTPAuthResource will add WWW-Authenticate headers based on it's current
configuration (if the WWW-Authenticate header is absent)

comment:9 Changed 4 years ago by <automation>

  • Owner dreid deleted
Note: See TracTickets for help on using tickets.