Sakai Session generation with Python

153 views
Skip to first unread message

Karavites, William

unread,
Feb 19, 2016, 2:47:31 PM2/19/16
to saka...@apereo.org
Hey everyone,

Over the next few weeks during my downtime home I’m going to be renewing my efforts with the SakaiPy project. I had to stop because of my increased workload and the way the login mechanism changed. The only part I’m really stuck on is the Session generation, hopefully someone will be able to give me a hand on this part.

Here’s a sample Python script to demonstrate how I’m trying top create a Sakai session. It should simply post to the login script (or should I use /direct?) and store the cookies within the session object. Though when the second command gets executed, there’s no associated userid that comes with the response
.
Could it be a problem with the way I’m approaching this OR is it something with Sakai? I wonder if the requests Session() object doesn’t natively handle authenticated sessions.

import requests

session = requests.Session()

session.get("https://sakai.rutgers.edu/sakai-ws/rest/login/login?id=willkara&pw=NOPE", verify=False)

print(session.get("https://sakai.rutgers.edu/direct/session/current.json", verify=False).json())

------------------------------------
William Karavites
Application Programmer
OIT/OIRT- Rutgers University
Office: 848-445-8726
------------------------------------

Schauer, Christopher R

unread,
Feb 19, 2016, 4:01:53 PM2/19/16
to Karavites, William, saka...@apereo.org
It's on the Sakai end. If you take a look at /webservices/cxf/src/java/org/sakaiproject/webservices/SakaiLogin.java, you'll see it creates a new session in the login method. You end up with two sessions: the anonymous tomcat session that gets set in cookies and the authenticated session whose id is returned in the response body.

/direct/session handles this differently, so you'd be better off using /direct. It grabs the current session and modifies it instead of creating a new one (unless the current session is an admin session, then it creates a new session). I'm not sure if the difference between the two is intended, but I think that the sakai-ws one is intended to be used with other sakai-ws calls that take the sessionid as a parameter instead of using cookies so it's never been an issue.

-Chris

--
You received this message because you are subscribed to the Google Groups "Sakai Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sakai-dev+...@apereo.org.
To post to this group, send email to saka...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/sakai-dev/.

Karavites, William

unread,
Feb 19, 2016, 6:33:24 PM2/19/16
to Schauer, Christopher R, saka...@apereo.org
Turns out what was happening was that since the request had no csrftoken parameter, it would fail for the security check we have in EntityHandlerImpl.java. So every time we would try and run  request through any Entity object, it would POOF and fail.



It looks like we’re the only ones to have this since I tried it in a build of Sakai Community master and it worked WITHOUT explicitly setting a csrftoken parameter.

I tried it with this

import requests

session = requests.Session()


data={'csrftoken':'lets just put random text here 12738612783612'}

session.post("https://sakai-prod1.oirt.rutgers.edu/direct/session?_username=willkara.admin&_password=NOPE", verify=False,data=data)

print(session.get("https://sakai-prod1.oirt.rutgers.edu/direct/session/current.json", verify=False).json())


















And it worked!












Since we may be the oddity here, I’m going to test my code against the community master build.












-Will
Alastair Hendricks
unread,
Feb 22, 2016, 5:43:38 AM2/22/16
to Sakai Development, will...@oit.rutgers.edu
Hi Will,

I recall chatting to you on Reddit regarding the csrftoken on Sakai and login issues - while this may not be directly linked to your issue, I thought I should share.

We also use /direct and used to log users in using a POST to /direct/session. While this creates a session, it does not create a csrf token, allowing the user to access /direct as well as /portal tools, but doesn't allow users to submit forms on pages due to the missing csrf token.

As a workaround, we're currently using a POST to /portal/xlogin to log in users (which does create a token), and they have access to /direct - I opened a ticket on JIRA, but I'm relatively new to contributing to the project and from what I've seen on JIRA tickets can take a while.

Loading up a community master build and I'll continue poking around and.
Reply all
Reply to author
Forward
0 new messages