Filters / Hooks

34 views
Skip to first unread message

Richard King

unread,
Jul 3, 2008, 7:17:43 PM7/3/08
to cherrypy-users
I would like to implement my own user authentication methods for an
application built with CherryPy. To do this, I would like to know how
to run a method at the beginning of each request so that I can check
if the user has authenticated, and redirect otherwise. I am new to
CherryPy and have seen references to Filters & Hooks to do such
things, but I cannot find any good examples of how to do so. Please
help. Thanks.

Robert Brewer

unread,
Jul 3, 2008, 8:11:12 PM7/3/08
to cherryp...@googlegroups.com

http://www.cherrypy.org/wiki/CustomTools covers it pretty well. To run
something at the beginning of the request, use the 'on_start_resource'
hook just like the 'print_path' example does. To do user authentication,
you're probably going to be checking
cherrypy.request.headers['WWW-Authenticate'] and maybe raise
cherrypy.HTTPError(401) if they can't authenticate. See
cherrypy.lib.auth for some helper functions. Of course, if you just want
basic/digest auth, there are already builtin tools for that.


Robert Brewer
fuma...@aminus.org

arjuna

unread,
Jul 4, 2008, 1:27:49 AM7/4/08
to cherryp...@googlegroups.com
Hi Robert,
 
I had hacked together a simple login a while ago, id like to replace it with the library login that maybe more secure...Whats the best place to find the user authentication library and related docs? Thanks...
 
 
> Of course, if you just want
>basic/digest auth, there are already builtin tools for that.


 
--
Best regards,
arjuna
http://www.brahmaforces.com

Richard King

unread,
Jul 3, 2008, 11:35:40 PM7/3/08
to cherrypy-users
Thank you for the quick response. The CustomTools reference was
exactly what I needed. One more question: what do I need to do to be
able to access the cherrypy.session variables from within my Custom
Tool?


On Jul 3, 6:11 pm, "Robert Brewer" <fuman...@aminus.org> wrote:
> Richard King wrote:
> > I would like to implement my own user authentication methods for an
> > application built with CherryPy. To do this, I would like to know how
> > to run a method at the beginning of each request so that I can check
> > if the user has authenticated, and redirect otherwise. I am new to
> > CherryPy and have seen references to Filters & Hooks to do such
> > things, but I cannot find any good examples of how to do so. Please
> > help. Thanks.
>
> http://www.cherrypy.org/wiki/CustomToolscovers it pretty well. To run
> something at the beginning of the request, use the 'on_start_resource'
> hook just like the 'print_path' example does. To do user authentication,
> you're probably going to be checking
> cherrypy.request.headers['WWW-Authenticate'] and maybe raise
> cherrypy.HTTPError(401) if they can't authenticate. See
> cherrypy.lib.auth for some helper functions. Of course, if you just want
> basic/digest auth, there are already builtin tools for that.
>
> Robert Brewer
> fuman...@aminus.org

Richard King

unread,
Jul 4, 2008, 2:29:59 AM7/4/08
to cherrypy-users
Thanks Robert. I appreciate the good reference and the quick
response. As I have developed web apps in the past, using other
languages, I have generally handled user authentication as follows:

1) Write code which executes before each request to see if the user
has logged in.
2) On each request, check to see if a "user_id" session variable
exists, and if not redirect to the login page.
3) Submitting the login pages will execute code that checks the
provided username/password with the database
4) If the credentials were valid, save the "user_id" session variable
and redirect to the requested page; otherwise redirect to the login
page.

Is there a way that I can accomplish this type of logic in CherryPy,
or is there a better way? It appears that in CherryPy I do not have
access to cherrypy.session from a 'on_start_resource' hook. Thank you
for your help.

-Richard

On Jul 3, 6:11 pm, "Robert Brewer" <fuman...@aminus.org> wrote:
> Richard King wrote:
> > I would like to implement my own user authentication methods for an
> > application built with CherryPy. To do this, I would like to know how
> > to run a method at the beginning of each request so that I can check
> > if the user has authenticated, and redirect otherwise. I am new to
> > CherryPy and have seen references to Filters & Hooks to do such
> > things, but I cannot find any good examples of how to do so. Please
> > help. Thanks.
>
> http://www.cherrypy.org/wiki/CustomToolscovers it pretty well. To run
> something at the beginning of the request, use the 'on_start_resource'
> hook just like the 'print_path' example does. To do user authentication,
> you're probably going to be checking
> cherrypy.request.headers['WWW-Authenticate'] and maybe raise
> cherrypy.HTTPError(401) if they can't authenticate. See
> cherrypy.lib.auth for some helper functions. Of course, if you just want
> basic/digest auth, there are already builtin tools for that.
>
> Robert Brewer
> fuman...@aminus.org

Robert Brewer

unread,
Jul 4, 2008, 3:15:34 AM7/4/08
to cherryp...@googlegroups.com
Richard King wrote:
> On Jul 3, 6:11 pm, "Robert Brewer" <fuman...@aminus.org> wrote:
> > Richard King wrote:
> > > I would like to implement my own user authentication methods for
an
> > > application built with CherryPy. To do this, I would like to know
> > > how to run a method at the beginning of each request so that I can
> > > check if the user has authenticated, and redirect otherwise. I am
> > > new to CherryPy and have seen references to Filters & Hooks to do
> > > such things, but I cannot find any good examples of how to do so.
> >
> > http://www.cherrypy.org/wiki/CustomTools covers it pretty well.

> > To run something at the beginning of the request, use the
> > 'on_start_resource' hook just like the 'print_path' example
> > does. To do user authentication, you're probably going to be
> > checking cherrypy.request.headers['WWW-Authenticate'] and maybe
> > raise cherrypy.HTTPError(401) if they can't authenticate. See
> > cherrypy.lib.auth for some helper functions. Of course, if you
> > just want basic/digest auth, there are already builtin tools for
> > that.
>
> Thank you for the quick response. The CustomTools reference was
> exactly what I needed. One more question: what do I need to do to be
> able to access the cherrypy.session variables from within my Custom
> Tool?

Sessions are implemented with hooks and tools too, so you just have to
make sure your tool runs after session.init is called. Looks like that's
before_request_body, priority=50 by default. It can't really be any
earlier than that because it has to run after the request headers are
read and parsed. So run your tool after that; either
before_request_body, priority 75 or something, or before_handler.

You also need to lock the session while you read/write it. By default,
that happens before_handler. If you set sessions.locking = 'early' it'll
run before_request_body, priority=60. You can also set
sessions.locking='explicit' and call
cherrypy.serving.session.acquire_lock()/release_lock() on your own.


Robert Brewer
fuma...@aminus.org

Robert Brewer

unread,
Jul 4, 2008, 3:18:12 AM7/4/08
to cherryp...@googlegroups.com
> I had hacked together a simple login a while ago,
> id like to replace it with the library login that
> maybe more secure...Whats the best place to find
> the user authentication library and related docs?

http://www.cherrypy.org/wiki/BuiltinTools#tools.basic_auth and
http://www.cherrypy.org/wiki/BuiltinTools#tools.digest_auth are the two
I was talking about. Aside from those few paragraphs, the source code is
probably best...


Robert Brewer
fuma...@aminus.org

Reply all
Reply to author
Forward
0 new messages