Christoph Zwerschke schrieb:
> And you get a 401 error in TG 1.1 due to changeset 5253. The problem
> still existed when you add the query parameter tg_format=json, but this
> has just been fixed as well, in revisions 6660 and 6661.
Nice!
Though I'm wondering if changing the error code to 401 from 403 (r5274)
was a good idea (mea culpa). I just had a look at the HTTP spec [1]
again and if I understand correctly, 401 should be only used in
conjunction with HTTP authentication [2], which means a
"WWW-Authenticate" header must be sent along with the response.
I was mislead by the remark in the description of the 403 status code:
"Authorization will not help and the request SHOULD NOT be repeated."
But obviously this pertains only to HTTP authentication. With
form/cookie-based authentication the client also will not repeat the
same request after logging in through the login form but will sent
username/password as request variables or a session cookie, so it is
technically not the exact same request.
I think it would be very easy to add support for HTTP basic
authentication to identity by adding some code in IndentityFailure.
Example (untested):
if config.get('identity.http_basic_auth', False):
cherrypy.response.status = 401
cherrypy.response.headers['WWW-Authenticate'] = \
'Basic realm="%s"' % config.get('identity.http_auth_realm',
'TurboGears')
# set a different comntroller url here?
else
cherrypy.response.status = 403
cherrypy.InternalRedirect.__init__(self, url)
Getting the actual authentication credentials from a HTTP
"Authorization" header is already supported by the identity filter.
What do you all think about this matter?
Chris
[1] http://tools.ietf.org/html/rfc2616#section-10.4.2
[2] http://tools.ietf.org/html/rfc2617
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears Trunk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-trunk?hl=en
-~----------~----~----~----~------~----~------~--~---
