Hi Aaron,
On 8/18/09 1:43 PM, Aaron Watters wrote:
> Hi,
> Since I've had some trouble getting replies from
> these mailing addresses I will probably post this to
> comp.lang.python or similar if I don't get a timely
> response:

Sorry, I actually didn't see any traffic come in about this.

> Is this a repoze.who bug?

Yes, it was, although it is one that has been addressed with a workaround.

> In summary for currently authenticated users
> I can't delete users or change passwords
> and get repoze.who to require the user to log in again.
> I start the server using htpasswd containing the line
>      testuser:testpasswd
> Then log in as testuser.
> Then I stop the server and edit the
> htpasswd file deleting the testuser entry.
> Then I restart the server and
> after reloading the browser page *the server thinks
> I'm still logged in as testuser*!!

You're using the AuthTkt identifier plugin.  It had a design bug (which I 
created) initially.  Because "auth_tkt" cookies don't send back both a username 
and password as a payload, there's no way to use a traditional authenticator to 
authenticate its "credentials" (e.g. passing its credentials to the htpasswd 
authenticator would be useless).  As a result, the authtkt plugin 
"preauthenticates" its credentials if the auth tkt cookie checks out at all. 
But the design bug was that it didn't check if the user still *existed* before 

As a workaround, its constructor as of repoze.who 1.0.14 accepts a 
"userid_checker" callback.   This callback should accept a userid, and should 
return True if the user still exists or False if the user does not.  If it 
returns False, the credentials will be considered invalid.

- C

> I think the deleted testuser should not be recognized
> as a valid user and I should be required to log in again.
> Where am I confused?
> This is a little disturbing because it raises the possibility
> that a user could spoof being logged in
> by adding HTTP headers without knowing
> a valid password.  Am I wrong?
> I'm using the following configuration:
> # the passwords are in clear text
> def cleartext_check(password, hashed):
>      return password == hashed
> # use the htpasswd file to find user names and passwords
> htpasswd = HTPasswdPlugin(htfile, cleartext_check)
> # allow HTTP basic authentication.
> basicauth = BasicAuthPlugin('repoze.who')
> # also allow auth_tkt based authentication
> auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
> # use the repoze.who redirecting form plugin for challenges and identification
> form = RedirectingFormPlugin('login_url', '/login_handler_path',
>                               '/logout_handler_path', 
> rememberer_name='auth_tkt')
> # set up the form classifications
> form.classifications = { IIdentifier:['browser'],
>                           IChallenger:['browser'] }
> # the repoze.who identifiers
> identifiers = [('form', form),('auth_tkt',auth_tkt),('basicauth',basicauth)]
> # the repoze.who authenticators
> authenticators = [('htpasswd', htpasswd)]
> # the repoze.who challengers
> challengers = [('form',form), ('basicauth',basicauth)]
> # no metadata providers, please.
> mdproviders = []
> # use default classifiers and deciders
> from repoze.who.classifiers import default_request_classifier
> from repoze.who.classifiers import default_challenge_decider
> I don't understand "auth_tkt" -- is that the culprit?
> Please respond.  Thanks!
>    -- Aaron Watters

Repoze-dev mailing list

Reply via email to