how to write our own handler to handle login in cherryPY
534 views
Skip to first unread message
Dharmendra Shaw
Apr 25, 2016, 7:22:27 AM4/25/16
to cherrypy-users
how to write our own handler to handle login in cherryPY framwork, Currently with default handler I am not able to login using remote Rest API call
Joseph S. Tate
Apr 25, 2016, 11:26:12 PM4/25/16
to cherrypy-users
I don't know what you're asking. What have you tried? What authentication type are you trying to use? What doesn't work?
On Mon, Apr 25, 2016 at 7:22 AM Dharmendra Shaw <shaw.dh...@gmail.com> wrote:
how to write our own handler to handle login in cherryPY framwork, Currently with default handler I am not able to login using remote Rest API call
--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cherrypy-user...@googlegroups.com.
To post to this group, send email to cherryp...@googlegroups.com.
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Dharmendra Shaw
Apr 26, 2016, 7:06:25 AM4/26/16
to cherrypy-users
I am using cherrypy for my web app for authentication we are using "tools.session_auth.login_screen " and "tools.session_auth.check_username_and_password" handlers for login authentication
Now I have a need to support login to app using REST api call something like below url using basic authentication call from another app login?username=username&password=test
Now I have a need to support login to app using REST api call something like below url using basic authentication call from another app login?username=username&password=test
Michiel Overtoom
Apr 26, 2016, 7:49:01 AM4/26/16
to cherryp...@googlegroups.com
Hi Dharmendra,
> On 2016-04-26, at 13:06, Dharmendra Shaw <shaw.dh...@gmail.com> wrote:
>
> For authentication we are using "tools.session_auth"
> I have a need to support login to app using REST API
I have a similar setup.
To have an external script log in as if it were a real user using a webbrowser, I use 'mechanize':
import mechanize
br = mechanize.Browser()
response = br.open("http://www.myserver.com/login")
br.form = list(br.forms())[0]
control = br.form.find_control("username")
control.value = "MY_NAME"
control = br.form.find_control("password")
control.value = "MY_SECRET_PASSWORD"
response = br.submit()
...and after that I can request pages:
response = br.open("http://www.myserver.com/api/item?id=12", "")
body = response.read()
response.close()
j = json.loads(body)
I'm not sure if this is anything like you need, but maybe you get some ideas from it.
Greetings,
> On 2016-04-26, at 13:06, Dharmendra Shaw <shaw.dh...@gmail.com> wrote:
>
> For authentication we are using "tools.session_auth"
> I have a need to support login to app using REST API
I have a similar setup.
To have an external script log in as if it were a real user using a webbrowser, I use 'mechanize':
import mechanize
br = mechanize.Browser()
response = br.open("http://www.myserver.com/login")
br.form = list(br.forms())[0]
control = br.form.find_control("username")
control.value = "MY_NAME"
control = br.form.find_control("password")
control.value = "MY_SECRET_PASSWORD"
response = br.submit()
...and after that I can request pages:
response = br.open("http://www.myserver.com/api/item?id=12", "")
body = response.read()
response.close()
j = json.loads(body)
I'm not sure if this is anything like you need, but maybe you get some ideas from it.
Greetings,
Tim Roberts
Apr 26, 2016, 12:23:34 PM4/26/16
to cherryp...@googlegroups.com
Dharmendra Shaw wrote:
I am using cherrypy for my web app for authentication we are using "tools.session_auth.login_screen " and "tools.session_auth.check_username_and_password" handlers for login authentication
Now I have a need to support login to app using REST api call something like below url using basic authentication call from another app login?username=username&password=test
First, a very picky terminology issue. "Basic authentication" is
the name for the default HTTP authentication scheme that is handled
directly by the browser. If you are doing the authentication
yourself (which session_auth does), that's different.
If your login_screen code expects the username and password in the field names you have there, then that login URL ought to work. In response to that, Python will send you a cookie identifying your session. Your REST calls need to pass that cookie back with every request they send, using standard cookie handling. If your REST code doesn't expect cookies, that's probably the problem.
I would point out that sending username and password in clear text is not secure. I don't know what information you're protecting there, but if it is valuable at all, you will probably want to find a different scheme.
If your login_screen code expects the username and password in the field names you have there, then that login URL ought to work. In response to that, Python will send you a cookie identifying your session. Your REST calls need to pass that cookie back with every request they send, using standard cookie handling. If your REST code doesn't expect cookies, that's probably the problem.
I would point out that sending username and password in clear text is not secure. I don't know what information you're protecting there, but if it is valuable at all, you will probably want to find a different scheme.
-- Tim Roberts, ti...@probo.com Providenza & Boekelheide, Inc.
Joseph S. Tate
Apr 26, 2016, 1:55:10 PM4/26/16
to cherryp...@googlegroups.com
You shouldn't have to "mechanize" to post your credentials. You should just be able to httplib2.post(), unless there's some sort of captcha system.
You need to capture the session cookie that returns though, and use that on all subsequent requests.
Joseph S. Tate
Apr 26, 2016, 2:54:15 PM4/26/16
to cherryp...@googlegroups.com
Like Tim said: "basic authentication" is a specific thing. What you're doing is not it. But you COULD use basic auth to do this kind of login: look at the auth_basic tool: https://cherrypy.readthedocs.org/en/3.3.0/refman/lib/auth_basic.html
You have to construct your REST calls to include the authentication header on every request. This is the easiest way to REST.
Alternatively, as Michael suggested, you can use the built in authentication handler to log in, and return a session cookie, but that session cookie must be used on every subsequent request.
Thirdly, you can create a new authentication handler/tool that does exactly what you want it to. Personally, I like to pre-generate random keys for REST API users and use that to generate session tokens that are used for subsequent calls. That works well if the user of the API is not a person, but a process.
I'm waving my hands a bit here, because REST authentication is not standardized. But reading the cherrypy code for both the "session_auth" and "auth_basic" tools should give you a good idea of where you should take it.
Depending on the complexity of your API, you should probably look into implementing OAuth 2.0 for not just authentication, but authorization as well. If REST is standardizing on something, this is it. There are third party tools for this (in fact some of the pypi available oauth provider libraries provide cherrypy tools for this). OAuth also lets you delegate authentication to Google, or Facebook so that users have fewer credentials to remember.
Finally, make sure you're using SSL/TLS for any of these mechanism because intercepting the session token, the username/password, or the authentication token means unfettered access. It's required for OAuth, but not enforced for everything else, so be careful.
Joseph
Dharmendra Shaw
May 5, 2016, 6:35:32 AM5/5/16
to cherrypy-users
My configuration is as below
tools.sessions.on = True
tools.session_auth.on = True
tools.session_auth.on_login = mytool.web.authentication.on_login
tools.session_auth.on_logout = mytool..web.authentication.on_logout
tools.session_auth.login_screen = mytool..web.authentication.login_screen
tools.session_auth.check_username_and_password = mytool..web.authentication.check_username_and_password
login_screen here returns a html form with action as "do_login" , then It gets handled by cherry handler ,
is It possible to differentiate in method login_screen a browser or native client call and if call is from browser it should return the html Form page else if the call is from Native client then It would read the user credential from hear , the native application here is a .net application and tries to login to mTool remotely by providing user credentials
Reply all
Reply to author
Forward
0 new messages