Re: How should I properly impliment HTTP(S) auth (REMOTE_AUTH) in django?

2011-02-09 Thread Sean W 
The relays would operate garage doors. So, I want the user to be able to be 
able to quickly and securely launch the application and operate the doors. I 
would like to have a system which is almost as easy to use as an existing 
opener, but with additional features:

 

- Check the door status from anywhere*

- Logging

- User, group, and time-based authentication

- Without decreasing security (if anything, I want to improve it)

 

* I would only allow the user to operate the door if he/she is in close 
geographic location compared to the door, for safety reasons.

 

I looked into OAuth, but it does not seem to fit my use-case well.

 
I wonder how difficult it would be to implement PKI auth for this 
application…

On Wednesday, February 9, 2011 12:06:36 AM UTC-5, Eric wrote:

>  I wouldn't consider using a UUID as multi-factor authentication.
>
> All our API traffic is over https.  We use the basic authentication 
> included with django-piston.
>
> Any reason why you want to exchange username and password for an API Key? 
>  Why not just authenticate each request with username and password?
>
>
>
>  On Feb 8, 2011, at 5:37 PM, Sean W wrote:
>
> This is a re-post of my stack overflow question here 
> http://stackoverflow.com/questions/4939908/how-should-i-properly-impliment-https-auth-remote-auth-in-django
>   
>   Hi,
>
> I am in the planning phase a new project. I want to be able to control 
> multiple relays from my android powered phone over the internet. I need to 
> use an HTTP based server as a middleman between the phone and the relays. 
> Django is my preferred platform because Python is my strongest skill set. 
> This would not be a "web app" (with the exception of the admin interface for 
> managing the user and their access to the relays). Rather, the server would 
> simply provide an API in the form of HTTPS requests and JSON encoding. 
> Though, I should note that I have never done any web development in my life, 
> so I don't know best practices (yet). The authentication method should meet 
> the following criteria:
>
>- Works over HTTPS (self-signed SSL) 
>- Provides multi-factor authentication (in the form of something you 
>have and something you know) 
>- Be reasonably secure (Would be very difficult to fool, guess at. or 
>otherwise bypass) 
>- Is simple in implementation for the server operator and end user on 
>the mobile client 
>- 
>
>Is lightweight in in terms of both CPU cycles and bandwidth
>
>I plan to use the following scheme to solve this:
> 1. An administrator logs into the web interface, creates a user, and 
>   sets up his/her permissions (including a username and a password chosen 
> by 
>   the user). 
>   2. The user starts the client, selects add server, and enters the 
>   server URL and his/her credentials. 
>   3. The client attempts to authenticate the the user via HTTP auth 
>   (over SSL). If the authentication was successful, the server will 
> generate 
>   an API key in the form of a UUID and sends it to the client. The client 
> will 
>   save this key and use it in all API calls over HTTPS. HTTP auth is only 
> used 
>   for the initial authentication process prior to reviving a key, as a 
> session 
>   scheme would not be nessessary for this application. Right? The client 
> will 
>   only work if the phone is configured to automatically lock with a PIN 
> or 
>   pattern after a short timeout. The server will only allow one key to be 
>   generated per user, unless an administrator resets the key. Hence, 
> simple, 
>   mobile, multifactor authentication.
>
> Is this sound from a security standpoint? Also, can anyone point me to an 
> example of how to use the HTTP auth that is built into Django? From a Google 
> search, I can find a lot of snipits witch hack the feature together. But, 
> none of them implement HTTP auth in the wayit was added to Django in 
> 1.1<http://code.djangoproject.com/ticket/689>. 
> The official documentation for REMOTE_AUTH can be found 
> here<http://docs.djangoproject.com/en/1.2/howto/auth-remote-user/>, 
> but I am having difficulty understanding the documentation as I am very new 
> to Django.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: How should I properly impliment HTTP(S) auth (REMOTE_AUTH) in django?

2011-02-09 Thread Sean W 
 

The relays wound operate garage doors. So, I want the user to be able to be 
able to quickly and securely launch the application and operate the doors. I 
would like to have a system which is almost as easy to use as an existing 
opener, but with additional features:

 

- Check the door status from anywhere*

- Logging

- User, group, and time-based authentication

- Without decreasing security (if anything, I want to improve it)

 

* I would only allow the user to operate the door if he/she is in close 
geographic location compared to the door, for safety reasons.

 

I looked into OAuth, but it does not seem to fit my use-case well.

 

I wonder how difficult it would be to implement PKI auth for this 
application…


On Wednesday, February 9, 2011 12:06:36 AM UTC-5, Eric wrote:

>  I wouldn't consider using a UUID as multi-factor authentication.
>
> All our API traffic is over https.  We use the basic authentication 
> included with django-piston.
>
> Any reason why you want to exchange username and password for an API Key? 
>  Why not just authenticate each request with username and password?
>
>
>
>  On Feb 8, 2011, at 5:37 PM, Sean W wrote:
>
> This is a re-post of my stack overflow question here 
> http://stackoverflow.com/questions/4939908/how-should-i-properly-impliment-https-auth-remote-auth-in-django
>   
>   Hi,
>
> I am in the planning phase a new project. I want to be able to control 
> multiple relays from my android powered phone over the internet. I need to 
> use an HTTP based server as a middleman between the phone and the relays. 
> Django is my preferred platform because Python is my strongest skill set. 
> This would not be a "web app" (with the exception of the admin interface for 
> managing the user and their access to the relays). Rather, the server would 
> simply provide an API in the form of HTTPS requests and JSON encoding. 
> Though, I should note that I have never done any web development in my life, 
> so I don't know best practices (yet). The authentication method should meet 
> the following criteria:
>
>- Works over HTTPS (self-signed SSL) 
>- Provides multi-factor authentication (in the form of something you 
>have and something you know) 
>- Be reasonably secure (Would be very difficult to fool, guess at. or 
>otherwise bypass) 
>- Is simple in implementation for the server operator and end user on 
>the mobile client 
>- 
>
>Is lightweight in in terms of both CPU cycles and bandwidth
>
>I plan to use the following scheme to solve this:
> 1. An administrator logs into the web interface, creates a user, and 
>   sets up his/her permissions (including a username and a password chosen 
> by 
>   the user). 
>   2. The user starts the client, selects add server, and enters the 
>   server URL and his/her credentials. 
>   3. The client attempts to authenticate the the user via HTTP auth 
>   (over SSL). If the authentication was successful, the server will 
> generate 
>   an API key in the form of a UUID and sends it to the client. The client 
> will 
>   save this key and use it in all API calls over HTTPS. HTTP auth is only 
> used 
>   for the initial authentication process prior to reviving a key, as a 
> session 
>   scheme would not be nessessary for this application. Right? The client 
> will 
>   only work if the phone is configured to automatically lock with a PIN 
> or 
>   pattern after a short timeout. The server will only allow one key to be 
>   generated per user, unless an administrator resets the key. Hence, 
> simple, 
>   mobile, multifactor authentication.
>
> Is this sound from a security standpoint? Also, can anyone point me to an 
> example of how to use the HTTP auth that is built into Django? From a Google 
> search, I can find a lot of snipits witch hack the feature together. But, 
> none of them implement HTTP auth in the wayit was added to Django in 
> 1.1<http://code.djangoproject.com/ticket/689>. 
> The official documentation for REMOTE_AUTH can be found 
> here<http://docs.djangoproject.com/en/1.2/howto/auth-remote-user/>, 
> but I am having difficulty understanding the documentation as I am very new 
> to Django.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

How should I properly impliment HTTP(S) auth (REMOTE_AUTH) in django?

2011-02-08 Thread Sean W 
This is a re-post of my stack overflow question here 
http://stackoverflow.com/questions/4939908/how-should-i-properly-impliment-https-auth-remote-auth-in-django

  Hi,

I am in the planning phase a new project. I want to be able to control 
multiple relays from my android powered phone over the internet. I need to 
use an HTTP based server as a middleman between the phone and the relays. 
Django is my preferred platform because Python is my strongest skill set. 
This would not be a "web app" (with the exception of the admin interface for 
managing the user and their access to the relays). Rather, the server would 
simply provide an API in the form of HTTPS requests and JSON encoding. 
Though, I should note that I have never done any web development in my life, 
so I don't know best practices (yet). The authentication method should meet 
the following criteria:

   - Works over HTTPS (self-signed SSL)
   - Provides multi-factor authentication (in the form of something you have 
   and something you know)
   - Be reasonably secure (Would be very difficult to fool, guess at. or 
   otherwise bypass)
   - Is simple in implementation for the server operator and end user on the 
   mobile client
   - 
   
   Is lightweight in in terms of both CPU cycles and bandwidth
   
   I plan to use the following scheme to solve this:
   1. An administrator logs into the web interface, creates a user, and sets 
  up his/her permissions (including a username and a password chosen by the 
  user).
  2. The user starts the client, selects add server, and enters the 
  server URL and his/her credentials.
  3. The client attempts to authenticate the the user via HTTP auth 
  (over SSL). If the authentication was successful, the server will 
generate 
  an API key in the form of a UUID and sends it to the client. The client 
will 
  save this key and use it in all API calls over HTTPS. HTTP auth is only 
used 
  for the initial authentication process prior to reviving a key, as a 
session 
  scheme would not be nessessary for this application. Right? The client 
will 
  only work if the phone is configured to automatically lock with a PIN or 
  pattern after a short timeout. The server will only allow one key to be 
  generated per user, unless an administrator resets the key. Hence, 
simple, 
  mobile, multifactor authentication.
   
Is this sound from a security standpoint? Also, can anyone point me to an 
example of how to use the HTTP auth that is built into Django? From a Google 
search, I can find a lot of snipits witch hack the feature together. But, 
none of them implement HTTP auth in the wayit was added to Django in 
1.1. 
The official documentation for REMOTE_AUTH can be found 
here, 
but I am having difficulty understanding the documentation as I am very new 
to Django.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Django training resources?

2010-12-17 Thread Sean W 
I should mention that a would prefer a tutorial that goes over 
web development principals like Javascript and AJAX because I've never used 
those tools before.

Thanks again.   

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Django training resources?

2010-12-17 Thread Sean W 
Is anyone aware of good quality, affordable training for Django?  I'm 
entirely new to web development, although I do have some experience with 
Python. I'm also a college student, so cost is a concern. I don't have the 
time to travel to a training seminar. I'm not one of those people who can 
master a subject simply by reading a book or tutorial–I need some hands on 
experience. Something like a webinar would work, even a pre-recorded one.

Any suggestions are appreciated. Thanks.
 

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Wiki in Django?

2010-09-11 Thread Sean W 
After a bit of googling I found:

https://code.google.com/p/sct-project/

On Sep 11, 12:47 pm, Shamail Tayyab  wrote:
> Hi,
>
>   I need a very minimal wiki, best if it runs on flat files. moinmoin is too
> heavy for what I am looking. Is there some Django thing available or written
> by someone here?
>
> Thanks
>
> --
> Shamail Tayyab
> Blog:http://shamail.in/blog

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.