hierarchical realms and httpauthfilter (CP 2.2.x)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

hierarchical realms and httpauthfilter (CP 2.2.x)

Venkat Bommakanti

Hi all,

I have a need to implement Digest/Basic Auth using
httpauthfilter using CP 2.2.x, but with hierarchical realms.

For example say, I have:
  http://mysite/feature/001/action/...
  http://mysite/feature/002/action/...
  http://mysite/feature/003/action/...
and so on... And that,
  Folks in realm 003 include
  Folks in realm 002, and
  Folks in realm 002 include
  Folks in realm 001

So, in this case, if folks get authenticated to say, realm 003
they need not get authenticated for realm 002/001 actions
and if they get authenticated to say, realm 002, they need
not get authenticated for realm 001 actions.

Likewise, if they get authenticated only for realm 001 actions
they should get authenticated for realm 002 (or higher) actions,
and if they get authenticated for say realm 002 actions, they
need to get authenticated for 003 or higher actions...

With the latest httpauthfilter (CP 2.2.x) version, is it possible
to implement such an auth scheme of hierarchical realms.

Thanks for the help,
/venkat


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups-beta.google.com/group/cherrypy-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: hierarchical realms and httpauthfilter (CP 2.2.x)

Sylvain Hellegouarch

venkatbo wrote:

>
> Hi all,
>
> I have a need to implement Digest/Basic Auth using
> httpauthfilter using CP 2.2.x, but with hierarchical realms.
>
> For example say, I have:
>  http://mysite/feature/001/action/...
>  http://mysite/feature/002/action/...
>  http://mysite/feature/003/action/...
> and so on... And that,
>  Folks in realm 003 include
>  Folks in realm 002, and
>  Folks in realm 002 include
>  Folks in realm 001
>
> So, in this case, if folks get authenticated to say, realm 003
> they need not get authenticated for realm 002/001 actions
> and if they get authenticated to say, realm 002, they need
> not get authenticated for realm 001 actions.
>
> Likewise, if they get authenticated only for realm 001 actions
> they should get authenticated for realm 002 (or higher) actions,
> and if they get authenticated for say realm 002 actions, they
> need to get authenticated for 003 or higher actions...
>
> With the latest httpauthfilter (CP 2.2.x) version, is it possible
> to implement such an auth scheme of hierarchical realms.
>

It will depend how your code is designed. If 001, 002, etc. is
statically defined then simply set the _cp_filter attribute at each
correct level. If those are dynamic then you'll have some tweaking to do
I'm afraid.

So if you have:

class Some001:
    _cp_filter = [HTTPAuthFilter(realm='001')

    ...

class Some002:
    _cp_filter = [HTTPAuthFilter(realm='002')

    ...

etc.

This will work fine as you expect. If the 00x part is dynamic then you
will may write a simple filter that inspects the URI and sets the realm
value of the auth filter dynamically.

- Sylvain

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups-beta.google.com/group/cherrypy-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: hierarchical realms and httpauthfilter (CP 2.2.x)

Venkat Bommakanti

Thanks Sylvain.

Have a doubt:

In,
> >  http://mysite/feature/001/action/...
> >  http://mysite/feature/002/action/...
> >  http://mysite/feature/003/action/...
the numeric path component is known, but
that component will be only be numeric and
it may start with preceeding 0's. There are
no dynamically generated path components

Since one cannot have class names or
method names exactly matching the numeric
path component as shown above, can I still
have classes like you suggest:
> class Some001:
> class Some002:
with the filters setup appropriately ?

Taking the original example, I was thinking,
at the level of:
    http://mysite/feature/
I'd need to use a default() handler. I can examine
the realm and ensure its one of (001, 002, 003...),
but then how can I apply a _cp_filer based on the
realm I've just found out ?

Thanks much,
/venkat


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups-beta.google.com/group/cherrypy-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: hierarchical realms and httpauthfilter (CP 2.2.x)

Sylvain Hellegouarch

venkatbo wrote:

>
> Thanks Sylvain.
>
> Have a doubt:
>
> In,
>> >  http://mysite/feature/001/action/...
>> >  http://mysite/feature/002/action/...
>> >  http://mysite/feature/003/action/...
> the numeric path component is known, but
> that component will be only be numeric and
> it may start with preceeding 0's. There are
> no dynamically generated path components
>
> Since one cannot have class names or
> method names exactly matching the numeric
> path component as shown above, can I still
> have classes like you suggest:
>> class Some001:
>> class Some002:
> with the filters setup appropriately ?
>
> Taking the original example, I was thinking,
> at the level of:
>    http://mysite/feature/
> I'd need to use a default() handler. I can examine
> the realm and ensure its one of (001, 002, 003...),
> but then how can I apply a _cp_filer based on the
> realm I've just found out ?
>

Doing it frm the default handler would be too late (or too ugly), it'd
be better to have a filter doing that work before the httpauthfilter is
being called (so a filter attached to the before_main hook point and
inserted before the httpauthfilter instance in the _cp_filter attribute).

- Sylvain

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups-beta.google.com/group/cherrypy-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: hierarchical realms and httpauthfilter (CP 2.2.x)

Venkat Bommakanti

Thanks Sylvain.

> Doing it frm the default handler would be too late (or too ugly), it'd
> be better to have a filter doing that work before the httpauthfilter is
> being called (so a filter attached to the before_main hook point and
> inserted before the httpauthfilter instance in the _cp_filter attribute).

I implemented a MyRealmFilter with the before_main hook point.
I can examine the header/path information and discern what:
  . the current relam (request realm info) of the logged-in user is
  . the destination url (request path info), and based on the
    inclusion of "00x", which appropriate new realm to choose
    if any, and lastly,
  . if its a brand new login altogether.

For the:
  http://mysite/feature
level of the site hierarchy, I was hoping to specify and use
a sub-controller like so:
...
class Feature(controllers.Controller):
      _cp_filters = [ MyRealmFilter(),
                    HttpAuthFilter(realm='<chosen from MyRealmFilter>',
                                   privateKey=str(time.time()),
                                   unauthorizedPath='/unauthorized',
                                   retrieveUsersFunc=retrieveAuthUsers)
]
...
and with the help of the default() handler, I could trap access
to:
   .../001/...
   .../002/...
   .../003/...
with the respective realm/auth level already applied.

What is unclear is how I would convey the chosen realm from
MyRealmFilter to HttpAuthFilter in the _cp_filters attrib specification
above.

Thanks much,
/venkat


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups-beta.google.com/group/cherrypy-users?hl=en
-~----------~----~----~----~------~----~------~--~---