Sean Perry wrote:
> magus wrote:
> > I'd like to roll my own basic authentication for a web service, i.e. I
> > don't want to use the contrib.auth module. If possible I'd like to
> > avoid relying on the server for this. Anyone who can offer some
> > pointers on how to raise a 401 on a request that doesn't contain the
> > Authentication: header?
> > The 401 also needs to contain the realm, how would I do that?
> Forgive the possibly stupid question, but why not just use htaccess /
> apache auth? (or insert the method supported by your web server here).
> It is simple, requires almost no code and you will get the user name as
> an environment variable.
It's the "insert the method supported by your web server here" part
that I am trying to avoid. I'd like to keep the username/password
available to the webservice, which means I'll have to either have the
server use the webservice's database (already solved for
Apache/contrib.auth, I know) or somehow keep two files in sync. I don't
like that idea. It would also tie my webservice to a server, I don't
like that either :-)
Since the username/password are in the HTTP header I believe they would
be available in the "environment" as long as the server doesn't filter
it out.
> Beyond that, look into what Jacob said. The session layer is supposed to
> be cheap if you never ask for anything from it.
Yes, but "cheapness" is only one of my concerns. I have two bigger
concerns:
1. By limiting the external dependencies (i.e. the number of django
modules I use) I will lower the risk of being hit by a bug that I don't
control.
2. AFAICS the session is represented by a cookie, for me this is
totally unnecessary since there will be no session. The webservice will
have no server-side state to keep track of. Also, there's a lot of
smart people out there and they keep on comming up with new and
interesting ways to use session cookies (session hijacking, session
fixation, etc.).
Another issue, albeit a lot smaller, is the fact that contrib.auth has
a model that's too big. My model looks like this:
class User(models.Model):
name = models.CharField(maxlength=50, primary_key=True)
passwd = models.CharField(maxlength=50)
I don't need anything more than that. If I don't need more, I don't
want more. The reason? With less code, less things will go wrong :-)
And, yes, I know I'm slightly paranoid and anal about all of this. :-)
/M
