CherryPy Project Download

digest and LDAP authentication

CherryPy has built-in support for authorization. "Digest" and "ldap" are the ones that make most sense in practice.

I've been wondering if Python code is the right place for doing authorization. Because instead of _coding_ authorization it is easier to _declare_ it in the front web servers. Instead of re-inventing the wheel, let the right tool handle the job.

IMHO it is the Right Thing (TM) to do, since it also makes sense to use a reverse proxy (apache/lighttpd/squid) in front of CherryPy to deal with buffer overflows, malformed URLs and other nasty things.

This allows CherryPy to run in session-less mode, which allows for easier fail-over or load balancing. Another benefit Windows users: one could use "Integrated Windows Authorization" with IIS.

I tried to deploy this with Apache mod_proxy and mod_digest. Unfortunately, mod_proxy "eats" all extra headers (see http://allafrica.com/tools/apache/mod_proxy ). On Webfaction forum, Remi Delon suggested to try mod_rewrite. Well, Apache mod_rewrite is "voodoo" (quote from http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html).. If someone manages to get it work, please let me know.

Instead, here is quick-and-dirty solution with .. lighttpd. Relevant lines from lighttpd.conf are :

server.modules = (
"mod_access",
"mod_auth",
"mod_proxy",
"mod_accesslog" )
server.port = 8090
proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => 8080 ) ) )
auth.backend = "plain"
auth.backend.plain.userfile = "/opt/local/etc/lighttpd/lighttpd.user"
auth.require = ( "/" => (
"method" => "digest",
"realm" => "cubulus",
"require" => "valid-user"
) )

CherryPy receives header 'Authorization' with content 'Digest username="a", realm="cubulus", nonce=.., uri=.. qop="auth" ..... '

Easy thing is that if authorization fails, CherryPy receives.. nothing, so it's enough to look for Digest username="XXX"

Cheers, Alex

http://alexandrutoth.blogspot.com/

Hosted by WebFaction

Log in as guest/cherrypy to create/edit wiki pages