I tried implemented a sample 'Challenge_Decider' plugin and inserted
it as middleware.
Question:
Q1) Does the who.ini have to have complete set of config items, or
just the ones that are over-ridden? See Section 1 below.
Q2) By the time the response comes into the challenge_decider plugin,
the HTTP status is ALREADY set to 302, instead of 401; so the
challenge_decider cannot override the original behavior. Hmmm...??
See Section 2 below. Code in Section 3 below.
Where in the response flow is a 401 being replaced by 302?
=== SECTION 1 ===
At first I tried a who.ini with just the following entries, but it did
not work.
-----
[general]
request_classifier = repoze.who.classifiers:default_request_classifier
challenge_decider = myapp.config.auth:ApiClientChallengeDeciderPlugin
-----
So I had to add other config items. I will check docs to see if this
is a complete set.
-----
[general]
request_classifier = repoze.who.classifiers:default_request_classifier
challenge_decider =
uhoopla.config.auth:ApiClientChallengeDeciderPlugin
[plugin:form]
use = repoze.who.plugins.form:make_plugin
rememberer_name = auth_tkt
[plugin:auth_tkt]
use = repoze.who.plugins.auth_tkt:make_plugin
secret = something
[identifiers]
plugins =
form;browser
auth_tkt
[challengers]
plugins =
form;browser
-----
=== SECTION 2 ===
2010-12-07 21:37:14,978 -- repoze.who request started (/
restricted_url/) --
2010-12-07 21:37:14,978 request classification: browser
2010-12-07 21:37:14,979 identifier plugins registered [<FormPlugin
64267088>, <AuthTktCookiePlugin 64266832>]
2010-12-07 21:37:14,979 identifier plugins matched for classification
"browser": [<FormPlugin 64267088>, <AuthTktCookiePlugin 64266832>]
2010-12-07 21:37:14,979 no identity returned from <FormPlugin
64267088> (None)
2010-12-07 21:37:14,980 no identity returned from <AuthTktCookiePlugin
64266832> (None)
2010-12-07 21:37:14,980 identities found: []
2010-12-07 21:37:14,980 no identities found, not authenticating
21:37:15,014 WARNI [myapp.config.auth.api_client_challenge_decider]
ApiClientChallengeDeciderPlugin __call__ type(environ)=<type 'dict'>
status=302 Found type(headers)=<type 'list'>
21:37:15,014 WARNI [myapp.config.auth.api_client_challenge_decider]
ApiClientChallengeDeciderPlugin __call__ headers=[('Set-Cookie',
'webflash=%7B%22status%22%3A%20%22warning%22%2C%20%22message%22%3A
%20%22The%20current%20user%20must%20have%20been%20authenticated%22%7D;
Path=/'), ('location', '/login?came_from=http%3A%2F
%2F192.168.1.111%3A8080%2Frestricted_url%2F'), ('content-type', 'text/
html')]
2010-12-07 21:37:15,015 no challenge required
2010-12-07 21:37:15,015 -- repoze.who request ended (/restricted_url/)
--
2010-12-07 21:37:15,105 -- repoze.who request started (/login) --
2010-12-07 21:37:15,105 request classification: browser
2010-12-07 21:37:15,105 identifier plugins registered [<FormPlugin
64267088>, <AuthTktCookiePlugin 64266832>]
2010-12-07 21:37:15,106 identifier plugins matched for classification
"browser": [<FormPlugin 64267088>, <AuthTktCookiePlugin 64266832>]
2010-12-07 21:37:15,106 no identity returned from <FormPlugin
64267088> (None)
2010-12-07 21:37:15,106 no identity returned from <AuthTktCookiePlugin
64266832> (None)
2010-12-07 21:37:15,106 identities found: []
2010-12-07 21:37:15,106 no identities found, not authenticating
21:37:15,130 WARNI [myapp.config.auth.api_client_challenge_decider]
ApiClientChallengeDeciderPlugin __call__ type(environ)=<type 'dict'>
status=200 OK type(headers)=<type 'list'>
21:37:15,131 WARNI [myapp.config.auth.api_client_challenge_decider]
ApiClientChallengeDeciderPlugin __call__ headers=[('Pragma', 'no-
cache'), ('Cache-Control', 'no-cache'), ('Content-Type', 'text/html;
charset=utf-8'), ('Set-Cookie', 'webflash=; expires="Fri, 03-Dec-2010
05:37:15 GMT"; Max-Age=0; Path=/'), ('Content-Length', '1791')]
2010-12-07 21:37:15,131 no challenge required
2010-12-07 21:37:15,131 -- repoze.who request ended (/login) --
=== SECTION 3 ===
# -*- coding: utf-8 -*-
"""My api_client auth middleware."""
from repoze.who.interfaces import IChallengeDecider
from zope.interface import implements
import logging
__all__ = ['ApiClientChallengeDeciderPlugin']
log = logging.getLogger(__name__)
class ApiClientChallengeDeciderPlugin(object):
"""
WSGI middleware for ApiClient authentication.
"""
implements(IChallengeDecider)
def __call__(self, environ, status, headers):
log.warn('ApiClientChallengeDeciderPlugin __call__
type(environ)=%s status=%s type(headers)=%s', \
type(environ), status, type(headers))
log.warn('ApiClientChallengeDeciderPlugin __call__ headers=
%s', headers)
h_dict = dict(headers)
if status.startswith('401 '):
if 'X-Api-Client' in h_dict:
return False
return False #True ... FOR NOW JUST TEST whether 401
remains intact in response
return False
Thanks.
--
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en.
