[Twisted-Python] Something strange about cred

David Reid dreid at dreid.org
Fri Feb 9 09:18:44 MST 2007 

On Feb 8, 2007, at 7:01 PM, Stephen Waterbury wrote:

> David Reid wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> On Feb 8, 2007, at 2:51 PM, Stephen Waterbury wrote:
>>> Jean-Paul Calderone wrote:
>>>> ... I think the main problem you're
>>>> running into is that HTTP digest authentication is being used  ...
>>>
>>> *So* (for anybody still listening ;) I finally figured out the
>>> implication of Jp's comment:  all I had to do was remove the
>>> digest.DigestCredentialFactory('md5', 'My Realm') factory
>>> instance from HTTPAuthResource's list of credentialFactories
>>> and bingo, we're in basic auth mode and my checker works
>>> with the web2 auth example -- yay!
>> Why doesn't your DB Checker just support both interfaces?  
>> IUsernamePassword, and IUsernameHashedPassword,
>> doing the right thing depending on the interface provided by the  
>> credentials input.  Or, do the same thing regardless, because they  
>> provide compatible checkPassword interfaces.  You'd have to read  
>> the password from the DB here, but I don't see why that should  
>> concern you.  And the ability to use Digest auth would provide all  
>> around better security.
>
> Thanks, David, but for my application it isn't useful.  IMNSHO, digest
> auth only gives an illusion of good security -- it's encrypted,  
> right? But I regard it as a waste of time, and the time that I have  
> to work
> on the actual logic of my application is in short supply as it is.

Well relative merits of Digest authentication aside, it's trivial to  
make your DbChecker support the IUsernameHashedPassword of which  
there are providers other than web2's DigestedCredentials.  So I feel  
like you're really missing out on some of the flexibility that is  
cred, but you seem to genuinely have no desire (and/or time) for  
anything more than basic auth so I won't harp on this point anymore.

--
David Reid
http://dreid.org/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20070209/444c84b7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: </pipermail/twisted-python/attachments/20070209/444c84b7/attachment.sig>

More information about the Twisted-Python mailing list