[Twisted-web] Sessions and Authentication for Web2

David Reid dreid at dreid.org
Fri Nov 18 10:51:12 MST 2005


On Thu, 2005-11-17 at 21:47 -0500, glyph at divmod.com wrote:
> 
> On Thu, 17 Nov 2005 11:09:42 -0800, David Reid <dreid at dreid.org> wrote:
> 
> >While it might be a valid assumption, there is no common public  interface 
> >provided to facilitate it.
> 
> The interface is ICredentialsChecker, specifically, requestAvatarID.  

I don't see that working for things like HTTP Basic and Digest auth,
even if ICredentials.checkPassword, returns a deferred, which fires
after the last step has been completed, most ICredentialsCheckers do
things with the credentials before they even call checkPassword, like
check the username exists.  

But in Basic and Digest auth you don't have the username until you get
the response to your challenge.  So this is where IAuthorizer comes in
it handles all the steps prior to having something that you can use to
build a credentials.  

So if IAuthorizer has nothing to do with this discussion, where would
you generate your challenge, and parse the response?

You could implement your own ICredentialsChecker and actually do these
things in requestAvatarId, via some interface on the credentials, but I
know you can't be suggesting that is the right way to do it, because
that would break all the modularity of cred.

> Honestly, I have no idea what you're talking about.  Have you read Abe's new book?  He covers everything in terms of cred.

Clearly I'm not explaining myself very well, but yes, the only things
I've ever read about cred are the source code and Abe's book.  But then
I looked at the actual HTTP AUTH implementations, and I feel there is
something more needed to support this properly.  I'm also wondering
where exarkun is, because this extension to cred was his idea in the
first place.

-David




More information about the Twisted-web mailing list