[Twisted-Python] htpasswd / HTTP basic auth example

Andrew Bennetts andrew-twisted at puzzling.org
Mon Jul 21 07:03:43 EDT 2003

On Mon, Jul 21, 2003 at 05:36:49AM -0500, Glyph Lefkowitz wrote:
> On Sunday, July 20, 2003, at 08:27 PM, Andrew Bennetts wrote:
> >This reminds me -- I wrote a simple resource wrapper recently that
> >provides HTTP basic auth, reading from a htpasswd(1) file [currently it
> >only supports crypt'ed passwords, not MD5].  This doesn't use guard (or
> >even newcred) at all, although it probably should.
> Actually, it ought to use newcred and be a part of guard.  HTTP auth is 
> really a funky way of establishing a session.  It works totally 
> differently from guard's SessionWrapper, but you get the same effect - 
> this implementation detail would ideally be specified by some kind of 
> configuration rather than by the application author directly, but, uh 
> ... coil :).
> In short, if someone is going to enhance this to support newcred, don't 
> get too hung up on the way the existing woven.guard stuff works :).

For what it's worth, I originally *tried* to implement this with
newcred/guard, and couldn't figure out how.  I seem to recall that a large
stumbling block was UsernamePasswordWrapper not being useful if you are
trying to compare against *hashed* passwords;
IUsernamePassword.checkPassword assumes you have the cleartext to validate
against.  In hindsight, I probably didn't want SessionWrapper, either,
because I didn't want sessions (just simple "you can/cannot access this
resource and its children").  

I didn't need massive flexibility for my particular use-case (which was
emulating Apache's .htpasswd functionality), so I just did it the simplest
way I could, ignoring the existing infrastructure.  I think I have to agree
with Moshe -- the existing guard stuff is too large and/or too difficult for
an uninitiated developer to work with.


More information about the Twisted-Python mailing list