slav0nic wrote: > tnx > good example but not secure, use md5 module and compare hashes, not > plain passwords ;) > > On 3 нояб, 22:36, jgfoot <[EMAIL PROTECTED]> wrote: >> I've put together a small and simple decorator that lets web.py code >> require HTTP "basic" authentication before running a function or >> method. (HTTP authentication is when the browser pops up that >> "username/password" dialog box). >> >> To use it, you import the module, set up some sort of function that >> can validate usernames/passwords (or use the dead-simple dictionary >> based default function), and then just invoke the decorator before >> each GET/PUT/DELETE method that you want to protect. You can call the >> authUserName function to get the user name for use in your >> application. >> >> Applied to the "Hello, world!" example, it looks like this: >> >> # begin code >> import web >> import basicauth >> >> def myVerifier(username, password, realm): >> return (username == "falken" and password == "joshua") \ >> or (username == "lightman" and password == "pencil") >> # (obviously you want something better in the real world...) >> >> auth = basicauth.auth(verify = myVerifier) >> >> urls = ( '/(.*)', 'hello' ) >> >> class hello: >> @auth >> def GET(self, name): >> i = web.input(times=1) >> if not name: name = basicauth.authUserName() # The name passed >> in the headers >> for c in xrange(int(i.times)): >> print 'Hello,', web.websafe(name)+'!' >> >> web.run(urls, globals()) >> >> # end code >> >> Please check it out athttp://www.goldfoot.com/basicauth.py(a >> temporary location only) and let me know what you think. Because this >> uses decorators, it needs Python 2.4 or later.
Ahhhhhh hold on hold on! Do not try to make it sound like md5 hashes are secure. If you want security, use SSL. If you only want protection from an unmotivated snooper (md5 is definitely not a cryptographically secure algorithm), then yes, that is fine. I think this is a very nice patch, even with plain authentication. Perhaps I am not even too convinced it should also provide anything more sophisticated than plain-text auth (to prevent a developer from getting a false sense of security). Plain-text auth is fine over SSL (then again, if you are using SSL you are also using a webserver, which in turn means you might just as well configure that to ask for authentication..). On the other hand, if I recall correctly, the mechanism behind md5 hashed HTTP auths are surprisingly easy so it will probably be a very small bit of code to add.. which makes it a little more interesting... ah well, I will remain indecisive for a while, I guess :) Greetings, b^4 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/webpy?hl=en -~----------~----~----~----~------~----~------~--~---
