Hello. On Wednesday November 26, 2008 12:12:16 Joost wrote: > As I understand it, the AuthTktCookiePlugin methods sends the userid > clear over the wire. A salted md5 hash is used to prevent tampering > with this userid. The problem with this method is that a sniffer can > use bruteforce/rainbowtables to obtain the salt (it's the only > unkown). Secondly skipping trough the AuthTktCookiePlugin code i don't > see it setting the username/password fields in the identiy map (only > "repoze.who.userid"). From the documentation and code I understand > that a IdentifierPlugin needs to return/set a login/password > combination to work with the SQLAuthenticatorPlugin in > tgext.authorization. Can it be that this identifier plug-in doesn't > work in combination with the SQLAuthenticatorPlugin?
No, it should work. All SQLAuthenticatorPlugin needs is the login and the password, so any identifier that defines such values will work. > So that leaves me with the question how to do secure cookie > authentication in TG2? Should I implement my own IdentifierPlugin and > AuthenticatorPlugin to support this usecase? How do you authenticate the user on both sites? The user logs in the secure site, then she's redirected to the "insecure" one for it to set a session cookie and then redirect her back to the secure site? If so, one solution may be to have an authenticator in the secure site which redirects the user to the insecure site if authentication succeeds and then an identifier in the "insecure" site sets its own cookie and redirects the user back to the secure site. > If so, can some one point > me into the right direction how to configure TG2 app to use these > custom plug-in? Having a single TG2 application serving two different websites (one under http and the other under https) with a common authentication working on both sites is not very common, so you'll have to stop TG from configuring auth for you [1] and then configure it yourself to customize repoze.who as you need through repoze.what [2] (using setup_auth() so that you can add the special identifier and authenticators). Cheers. [1] The online docs are outdated, so build them http://svn.turbogears.org/docs/2.0/docs/ (read the section on how to disable the quickstart in the Auth section, specifically in how to customize auth) [2] You'll have to read the repoze.what manual, specifically: http://static.repoze.org/whatdocs/Manual/GettingStarted.html http://static.repoze.org/whatdocs/Manual/Plugins/SQL.html http://static.repoze.org/whatdocs/Manual/InnerWorkings.html#repoze.what.middleware.setup_auth -- Gustavo Narea <http://gustavonarea.net/>. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
