Am 08.06.2010 um 01:08 schrieb Gustavo Narea:
Diez said:
I'm sorry, but this won't work. The fault here is certainly not on
repoze.wh* side, but what you presented so far is just working to
authenticate the login call itself. But obviously the OP wants a
bunch
of authenticated (and possibly authorized) API-calls, not just one.
If he wants to authenticate once and accept subsequent calls from the
authenticated client, there are much easier ways to accomplish that.
Taking your example of returning a token which would be sent back in
subsequent connections, my original code would be modified to
something like:
"""
from repoze.who.interfaces import IIdentifier
from webob import Request
from zope.interfaces import implements
class XmlRpcIdentifier(object):
implements(IIdentifier)
classifications = {IIdentifier: ["xmlrpc"]}
def identify(self, environ):
request = Request(environ)
if "login" in request.POST and "password" in request.POST:
credentials = {
'login': request.POST['login'],
'password': request.POST['password'],
}
environ['repoze.who.application'] =
AuthnResponse(**credentials)
else:
credentials = None
return credentials
class AuthnResponse(object):
def __init__(self, login, password):
self._token = hash_it("s3cr3t", login, password)
def __call__(self, environ, start_response):
headers = [
("Content-Type", "text/plain"),
("Content-Length", str(len(self._token))),
]
start_response("200 OK", headers)
return [self._token]
"""
That's it. Then repoze.who and repoze.what would behave as usual,
with no
additional steps/workarounds/etc.
The above is obviously not working. You might not know how XMLRPC
works - but it has no POST or GET parameters.
It has a POST-body that's an XML-document like this:
<?xml version='1.0'?>
<methodCall>
<methodName>login</methodName>
<params>
<param>
<value><string>user</string></value>
</param>
<param>
<value><string>password</string></value>
</param>
</params>
</methodCall>
So you can't instantiate a request and get login and password.
Instead, you need xmlrpclib.loads on the full wsgi.input body (as I
already explained).
And where does the token get identified by repoze.wh*, and how are the
credentials then set? Is the token part of the HTTP header? Not
working out of the box. Is the token a parameter to the underlying
XMLRPC-call? Then it's not working because you don't inspect the body.
To re-iterate again: XMLRPC works over HTTP, but it does *NOT* work
with the whole browser-semantics of cookies and headers.
Diez
--
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en.
