Hi Ross, Thanks so much for your input. Fortunately, users will receive the token when the sign up for the service using the web interface. So that makes getting a token much simpler. However, based on what I recall of what you'll be doing, that sounds like a good approach.
I understand now that the solution for me will be using request.args(0) as Massimo described. Thanks again, Eric On Sep 15, 9:06 pm, Ross Peoples <[email protected]> wrote: > Eric, I may have found a way to do it, but it's not pretty. > > Create a controller that only has login / logout methods. The login method > will return your token that is saved somewhere (cache or database). > > Then in other controllers where you need to enforce token authentication, > put this into your call() method: > > if 'token' in request.vars: > token = request.vars.token > if token != 'test': # you would put your own token checking logic > here > raise HTTP(401, 'Supplied token was not valid.') > else: > raise HTTP(401, 'Token must supplied as a variable in the query > string.') > > return service() > > Now, to get a token, call your login method (that is in another controller): > > x = > xmlrpclib.ServerProxy('http://127.0.0.1:8000/rpc_test/auth/login/xmlrpc') > > try: > token = x.login(username, password) > except: > print 'Login failed' > > x = > xmlrpclib.ServerProxy('http://127.0.0.1:8000/rpc_test/my_controller/call/xmlrpc?token=%s' > % token) > > try: > x.my_method(a, b) > x.add(1,2) > except: > print 'Not authorized' > > What happens here is you login, get the token, then make a new connection > with the token, which is checked for every call you make to my_controller. > You do not need to include the token in the API at all with this method, but > again, it's kind of a hacky way to do it. I'm not sure how X509 works, but > if Massimo says that's the way to go, then I'm going to wait before > implementing it the way described here. I have a couple of weeks before I > have to worry about this, I'm just doing preliminary research right now.
