#2282: Authentication and authorization settings should be customizable on
deployment
------------------------+---------------------------------------------------
Reporter: kikidonk | Owner: Gustavo
Type: defect | Status: assigned
Priority: high | Milestone: 2.1
Component: TurboGears | Version: trunk
Severity: critical | Resolution:
Keywords: auth |
------------------------+---------------------------------------------------
Changes (by Gustavo):
* status: new => assigned
* summary: TG2 with auth_tkt authentication uses default secret =>
Authentication and authorization settings
should be customizable on deployment
* priority: normal => high
* owner: => Gustavo
* milestone: 2.0rc1 => 2.1
* keywords: => auth
* severity: major => critical
Old description:
> A TG2 quickstarted project will be setup to use auth_tkt mechanism, and
> sqlalchemy as backend to fetch users.
>
> The cookie contains an encrypted hash with a secret key that is by
> default 'secret'. This means that one could change the userid of an
> exising cookie an recompute a new cookie to be able to be authentified as
> any user.
>
> The fix for that is to pass 'cookie_secret' option to the repoze.who
> module.
>
> One way to do this is:
> self.sa_auth.cookie_secret = "mysecret"
> in config/app_cfg.py
>
> It seems weird to me to have this key in the python file, since it's more
> deployment-specific rather than application specific, much like the
> beaker.session.secret. It might be worth either using the
> beaker.session.secret key value or be able to define it in the .ini
> config file
New description:
A TG2 quickstarted project will be setup to use auth_tkt mechanism, and
sqlalchemy as backend to fetch users.
The cookie contains an encrypted hash with a secret key that is by default
'secret'. This means that one could change the userid of an exising cookie
an recompute a new cookie to be able to be authentified as any user.
The fix for that is to pass 'cookie_secret' option to the repoze.who
module.
One way to do this is:
self.sa_auth.cookie_secret = "mysecret"
in config/app_cfg.py
It seems weird to me to have this key in the python file, since it's more
deployment-specific rather than application specific, much like the
beaker.session.secret. It might be worth either using the
beaker.session.secret key value or be able to define it in the .ini config
file.
Like this, there are many things that should be customizable on
deployment.
Comment:
Agreed. This is one of the issues reported in #2240.
But I'll keep this ticket for auth* settings only.
--
Ticket URL: <http://trac.turbogears.org/ticket/2282#comment:1>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
