RIAs, services and authentication

59 views
Skip to first unread message

Alexei Vinidiktov

unread,
Jun 4, 2009, 11:42:18 PM6/4/09
to web...@googlegroups.com
Hello,

I'm wondering what is the best approach to authenticating users from
within desktop apps or RIA apps written, for example, in Silverlight,
Flex, GWT, pyjamas that communicate with web2py backends via rpc
services.

Thanks.

--
Alexei Vinidiktov

desfrenes

unread,
Jun 5, 2009, 6:01:35 AM6/5/09
to web2py Web Framework
I use a token auth handle at the service level. It has disadvantages
(need to check auth on each method, but should be easy with python
decoratorsà but at least I can use the same services with no
modification, whatever the message format (soap, json, xml,
anything...) or the transport layer.

On Jun 5, 5:42 am, Alexei Vinidiktov <alexei.vinidik...@gmail.com>
wrote:

Kuba Kucharski

unread,
Jun 5, 2009, 8:57:28 AM6/5/09
to web...@googlegroups.com
could you show us how to achieve that? example or a link ..


thx
--
Kuba

Alexei Vinidiktov

unread,
Jun 6, 2009, 4:20:09 AM6/6/09
to web...@googlegroups.com
Thanks for your reply, desfrenes.

Could you share how you generate your tokens? Do they expire or are
they permanent for each user?

Do token identify sessions or users?

Thanks.
--
Alexei Vinidiktov

desfrenes

unread,
Jun 6, 2009, 5:46:02 AM6/6/09
to web2py Web Framework
Tokens identify users, not sessions since your services should be
stateless anyway (each call to a service method should be independent
and should not require a call to another method. Read about it here:
http://searchsoa.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid26_gci826428,00.html).
Sessions is your client's job.
The token has an expiry date and lifetime may be different from user
to user.

I use something like this, client side:

# first get a token
authToken = serviceProxy.getToken(user, password)

# then use it with methods that require auth.
helloWorld = serviceProxy.helloWorld(token = authToken)

serviceProxy could be formatting json-rpc, xml-rpc, soap, whatever...
also this would work no matter the transport.

I do have an implementation of the server, however since it's not
written in python I didn't post it here (my client is a web2py app and
my server is a ZF app). I can send it to you but it's php, you tell
me.
What I implemented in Python is a client class (using json-rpc format
since it's my prefered format): http://www.desfrenes.com/python-json-rpc
.

A possible server implementation in web2py could be something like
this (replace the docstrings with appropriate logic):

from gluon.tools import Service
# create a server instance
service = Service(globals())

@service.jsonrpc
def getToken(user, password):
"""
here, perform authentication
against whatever source you like
(db, file, service, CAS, ldap...)
generate a token, store it in cache or
db with an expiry date and
associated user id.
You may generate the token with
uuid and then encrypt it
"""
return 'xyz'

# expose as json-rpc
@service.jsonrpc
def helloWorld(token, name):
"""
here, check validity of token
(does it exist? is it expired?),
if valid and corresponding user has
right, then return result,
else raise error.
You may perform auth within a
python decorator so you only
have to add @tokenAuth before
your function
"""
return 'hello ' + name

# your service end point
def call(): return service()

Another way is to use http basic auth, but it was not my choice.
You'll find tons of articles about it.


On Jun 6, 10:20 am, Alexei Vinidiktov <alexei.vinidik...@gmail.com>
wrote:

Alexei Vinidiktov

unread,
Jun 6, 2009, 6:09:16 AM6/6/09
to web...@googlegroups.com
Thanks a lot for the information, desfrenes! It's just what I needed.

I'm new to web programming (been developing desktop software for a
while mostly in C++) and have to do many things for the first time.

Now I'm going to try and experiment with this stuff.

I wish server-side token generation and handling would be implemented
in web2py proper.

BASIC authentication for services was added to web2py recently, but
I'm at a loss as to how to actually use it. I asked a question about
it in a different thread, but got no answer so far...

Thanks again for your help. I really appreciate it!
--
Alexei Vinidiktov

desfrenes

unread,
Jun 6, 2009, 6:21:56 AM6/6/09
to web2py Web Framework


On Jun 6, 12:09 pm, Alexei Vinidiktov <alexei.vinidik...@gmail.com>
wrote:
> I wish server-side token generation and handling would be implemented
> in web2py proper.

I'm not sure there can be a generic response to this since the nature
of both the token and the token store can be different from one
project to another. The token could be time-based or the user id
signed or both... the store could be ram cache, database, disk cache,
etc...

> BASIC authentication for services was added to web2py recently, but
> I'm at a loss as to how to actually use it. I asked a question about
> it in a different thread, but got no answer so far...

If it has been added only recently, the best is to ask Massimo.

mdipierro

unread,
Jun 6, 2009, 10:49:29 AM6/6/09
to web2py Web Framework
if sessions are enabled web2py services will return the session cookie
(as for regular pages), if you return that as a cookie it will
authenticate the user without passin credentials again. There is no
other mechanism.

desfrenes

unread,
Jun 6, 2009, 11:58:17 AM6/6/09
to web2py Web Framework
That's another way and quite possibly the most standard one, but still
this seams to be a problem in some cases. afaik, actionscript 3 has
native no support for cookies, that mean flex appmications won't use
them, although AIR applications will (yes, this is crazy).

Anyway this is a general web services problem, not web2py's.
Reply all
Reply to author
Forward
0 new messages