On Fri, 2010-07-30 at 01:08 -0400, Michael Pedersen wrote:
> Granted, I'm no expert on this, but since authentication has yet to
> complete, didn't you just grant an unauthenticated user access to a
> session that may or may not turn out to belong to that user?
I don't think so. IIRC the beaker session for an authenticated user is
determined from a session cookie for that user, so no-one should be able
to steal the session without being able to duplicate the cookie. If
anyone can do that, the standard auth_tkt mechanism is also insecure.
With my changes I can replace auth_tkt with beaker_tkt which gives me
the ability to retain much more identity information, and to keep it all
within the server.
FWIW, here is the code I am now using (share and enjoy):
class AppConfigByWho(AppConfig):
"""
AppConfig subclass that allows repoze.who to be managed from
a config file (who.ini). To setup who.ini, simply define it as
follows in your development.ini file (in the app:main section):
who.config_file = %(here)s/who.ini
who.log_level = debug
who.log_file = stdout
As well as providing repoze.who configuration through an ini file,
it also changes the order of items in the middleware stack. By
defining the core middleware after the authentication middleware,
the authentication middleware, when it runs, can access Beaker
sessions. This allows authentication information to be cached
locally, rather than in a client-side cookie.
"""
def add_auth_middleware(self, app, skip_authentication):
if config.get('who.config_file', None):
# We have a who.ini file, so we do authentication based on its
# contents
app = make_who_with_config(app,
config,
config.get('who.config_file','who.ini'),
config.get('who.log_file','stdout'),
config.get('who.log_level','debug'))
# Add core middleware after the authentication stuff rather
# than the other way round. This is done so that the
# authentication stuff can see the beaker.
from routes.middleware import RoutesMiddleware
from beaker.middleware import CacheMiddleware, SessionMiddleware
app = RoutesMiddleware(app, config['routes.map'])
app = SessionMiddleware(app, config)
app = CacheMiddleware(app, config)
return app
else:
# Quickstart based authentication
return super(VPDppConfig, self).__init__(app, skip_authentication)
def add_core_middleware(self, app):
"""
Do nothing as the core middleware is now being set up in
add_auth_middleware.
"""
return app
And in app_cfg.py:
base_config = AppConfigByWho()
__
Marc
--
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en.
