How to authenticate a user?
40 views
Skip to first unread message
Alan Anderson
Aug 16, 2010, 11:48:26 AM8/16/10
to Wub Discussion
When I started using TclHttpd many years ago, I could not get cookies
to work properly. I concocted a functional but uncomfortably complex
scheme for maintaining user authentication and state. I'd like to
start fresh with my current project, but I keep running into areas of
Wub that are still opaque to me.
How do I authenticate a user? I'm hacking blindly again, and I'm not
hitting on the "right" way to do it. Currently I've tried this (it's
in the JN namespace):
proc /logon.html {r args} {
if {[Http CredCheck $r ::JN::simple]} {
jpage "Logon Successfull" Logoff "You're in!"
} else {
return [Http Unauthorized $r "Provide your credentials." "Sorry,
you're not in yet."]
}
}
proc simple {id pass} {
if {$id eq "user" && $pass eq "pass"} {
return true
} else {
return false
}
}
# the jpage proc isn't part of the problem, but you'll need to see it
in order to tell that I'm doing at least part of it right. The
pagewrap proc just puts a bunch of boilerplate header/navigation/
footer stuff around the real content.
proc jpage {title section content} {
dict set r -title "Jasper : $title"
dict set r -content [pagewrap $section $content]
dict set r content-type text/html
}
Based on the WWW-authenticate header I see being added to the response
by [Http Unauthorized], I would expect the browser to present a
request for ID and password. It does not. How badly am I missing the
mark here?
I think I'm close, since I can change the simple credentials check to
always return true and get the desired "You're in!" page.
to work properly. I concocted a functional but uncomfortably complex
scheme for maintaining user authentication and state. I'd like to
start fresh with my current project, but I keep running into areas of
Wub that are still opaque to me.
How do I authenticate a user? I'm hacking blindly again, and I'm not
hitting on the "right" way to do it. Currently I've tried this (it's
in the JN namespace):
proc /logon.html {r args} {
if {[Http CredCheck $r ::JN::simple]} {
jpage "Logon Successfull" Logoff "You're in!"
} else {
return [Http Unauthorized $r "Provide your credentials." "Sorry,
you're not in yet."]
}
}
proc simple {id pass} {
if {$id eq "user" && $pass eq "pass"} {
return true
} else {
return false
}
}
# the jpage proc isn't part of the problem, but you'll need to see it
in order to tell that I'm doing at least part of it right. The
pagewrap proc just puts a bunch of boilerplate header/navigation/
footer stuff around the real content.
proc jpage {title section content} {
dict set r -title "Jasper : $title"
dict set r -content [pagewrap $section $content]
dict set r content-type text/html
}
Based on the WWW-authenticate header I see being added to the response
by [Http Unauthorized], I would expect the browser to present a
request for ID and password. It does not. How badly am I missing the
mark here?
I think I'm close, since I can change the simple credentials check to
always return true and get the desired "You're in!" page.
Alan Anderson
Aug 16, 2010, 12:00:15 PM8/16/10
to Wub Discussion
On Aug 16, 11:48 am, Alan Anderson <qunc...@gmail.com> wrote:
>
> return [Http Unauthorized $r "Provide your credentials." "Sorry, you're not in yet."]
I got it sorted out. I just needed to understand the WWW-authenticate
>
> return [Http Unauthorized $r "Provide your credentials." "Sorry, you're not in yet."]
header properly. The line
return [Http Unauthorized $r [Http BasicAuth "Jasper"] "Sorry,
you're not in yet."]
does exactly what I need it to do.Alan Anderson
Aug 17, 2010, 4:03:21 PM8/17/10
to Wub Discussion
How can I use the ldap package with Wub, given that it wants to use a
[vwait] while protocol stuff happens (apparently based on fileevents)
but Wub's startup pre-emptively keeps that from working while uses its
own [vwait]? Is there really a problem with "nesting" in this case?
I've seen mention of a similar conflicts with proxy. Is there a
general scheme for dealing with this?
[vwait] while protocol stuff happens (apparently based on fileevents)
but Wub's startup pre-emptively keeps that from working while uses its
own [vwait]? Is there really a problem with "nesting" in this case?
I've seen mention of a similar conflicts with proxy. Is there a
general scheme for dealing with this?
Colin McCormack
Aug 17, 2010, 7:02:50 PM8/17/10
to wub-dis...@googlegroups.com
On 18/08/10 06:03, Alan Anderson wrote:
> How can I use the ldap package with Wub, given that it wants to use a
> [vwait] while protocol stuff happens (apparently based on fileevents)
> but Wub's startup pre-emptively keeps that from working while uses its
> own [vwait]? Is there really a problem with "nesting" in this case?
>
> How can I use the ldap package with Wub, given that it wants to use a
> [vwait] while protocol stuff happens (apparently based on fileevents)
> but Wub's startup pre-emptively keeps that from working while uses its
> own [vwait]? Is there really a problem with "nesting" in this case?
>
I think there may be, yes. ISTR the "AAAARRRRGH" was my reaction to a
very difficult bug I had to track down caused by a vwait.
> I've seen mention of a similar conflicts with proxy. Is there a
> general scheme for dealing with this?
>
Good question. You might try the coroutine::auto package in tcllib, but
I suspect that it'll all need to be in a slave interp.
There's no satisfactory general scheme for dealing with this kind of
thing. coroutine::auto seems to go some way to it.
Let me know how you go.
Colin
Alan Anderson
Aug 18, 2010, 10:26:38 AM8/18/10
to Wub Discussion
On Aug 17, 7:02 pm, Colin McCormack <mcc...@gmail.com> wrote:
> ISTR the "AAAARRRRGH" was my reaction to a
> very difficult bug I had to track down caused by a vwait.
> ...
> ISTR the "AAAARRRRGH" was my reaction to a
> very difficult bug I had to track down caused by a vwait.
> Let me know how you go.
While my toolbox might now contain coroutines, my brain does
not...yet. I haven't the first clue how to go about applying them to
my ldap issue.
My "solution" at present is simply to remove Wub's interception of
[vwait] and deal with any nesting problems if they manifest
themselves. I recognize that there might be a valid reason for having
it there, and I apologize for ripping it out by the roots that way,
but it was keeping me from using existing code that works.
I expect I'll be asking about using the Login domain soon -- it looks
like it does some things I need.
Alan Anderson
Apr 6, 2011, 4:01:39 PM4/6/11
to wub-dis...@googlegroups.com
On Wednesday, August 18, 2010 10:26:38 AM UTC-4, Alan Anderson wrote:
My "solution" at present is simply to remove Wub's interception of
[vwait] and deal with any nesting problems if they manifest
themselves...
In case anyone's paying attention, I ended up moving the ldap authentication into an external program (an sdx-wrapped script) and calling it from within my Wub-hosted code. It's a mite less efficient, but it avoids the nested vwait problem completely.
Colin McCormack
Apr 6, 2011, 11:11:51 PM4/6/11
to wub-dis...@googlegroups.com
Somehow I think I missed this ... anyway ...
The AAAARGH stuff, though emotionally expressive, doesn't actually stop the process does it?
Hard to really know the best way to handle this. Networking things in Tcl should really not depend upon vwait, as (as you have noticed) it prevents them being properly composed. There is, for what it's worth, a coroutine package in tcllib which wraps vwait into a coroutine-friendly facility using [trace] to emulate [vwait]. It may be that that package could be used to successfully wrap ldap.tcl (etc) to make it play nice.
Colin.
The AAAARGH stuff, though emotionally expressive, doesn't actually stop the process does it?
Hard to really know the best way to handle this. Networking things in Tcl should really not depend upon vwait, as (as you have noticed) it prevents them being properly composed. There is, for what it's worth, a coroutine package in tcllib which wraps vwait into a coroutine-friendly facility using [trace] to emulate [vwait]. It may be that that package could be used to successfully wrap ldap.tcl (etc) to make it play nice.
Colin.
Alan Anderson
Apr 7, 2011, 9:05:25 AM4/7/11
to wub-dis...@googlegroups.com
On Wednesday, April 6, 2011 11:11:51 PM UTC-4, mcccol wrote:
The AAAARGH stuff, though emotionally expressive, doesn't actually stop the process does it?
Wub prevents code from using [vwait]. The ldap package wants to use [vwait]. That's a serious impasse.
So, as I said, I'm accepting the restriction and not using the ldap package in my Direct domain. I'm [exec]'ing a simple external program that does the necessary authentication check outside the Wub environment and returns the result I need.
Colin McCormack
Apr 7, 2011, 10:17:31 AM4/7/11
to wub-dis...@googlegroups.com
On 07/04/11 23:05, Alan Anderson wrote:
On Wednesday, April 6, 2011 11:11:51 PM UTC-4, mcccol wrote:The AAAARGH stuff, though emotionally expressive, doesn't actually stop the process does it?Wub prevents code from using [vwait]. The ldap package wants to use [vwait]. That's a serious impasse.
Yeah, I see. ldap actually uses [vwait] for its intended purpose.
What about if you package require coroutine::auto and then invoke the ldap stuff from within a coroutine? That actually ought to work, I think.
What about if you package require coroutine::auto and then invoke the ldap stuff from within a coroutine? That actually ought to work, I think.
Alan Anderson
Apr 7, 2011, 10:50:46 AM4/7/11
to wub-dis...@googlegroups.com
On Thursday, April 7, 2011 10:17:31 AM UTC-4, mcccol wrote:
What about if you package require coroutine::auto and then invoke the ldap stuff from within a coroutine? That actually ought to work, I think.
Coroutines aren't in my programming vocabulary yet. I haven't even started to investigate how or why to use them, and I'm presently too busy implementing user requirements to add another tool to my active toolbox. Maybe in six months I'll have the luxury of learning how to exploit new features of Tcl, but I have to admit I'm using it mostly because of its simplicity.
Colin McCormack
Apr 7, 2011, 10:59:38 AM4/7/11
to wub-dis...@googlegroups.com
Talking on the Tcler's chat just now, it's quite likely I can write
something to make the coroutines invisible, so you'd call [::ldap
whatever] instead of ::ldap::whatever and it would just work.
I'll have a look at doing that in the morning.
Colin.
I'll have a look at doing that in the morning.
Colin.
Reply all
Reply to author
Forward
0 new messages