Thanks Michele, I resolved the issue by overriding class X509Auth :), one
more clarification:
using openssl, i created CA certificates, private key then client and
server certificates with their private key signed by CA certificate,
everything is working fine except:
when I access My application I always need to provide the server
certificate password on the command prompt (where server has started) to
access the page, is there any way to disable this? Means, user only needs
to import the client certificate to their browser and when they access the
application it will allow to access the pages of the application without
asking the password. Anyways user doesn't have access to the server so they
can't be able to provide the password so in this case, even though they
will be able to import the client certificate, automatically downloaded
server certificate to the browser when they make request for application
but can't be able to access the application pages because on server command
prompt it will ask for password, so how to make it password free?
On Wed, Nov 7, 2012 at 6:52 PM, Michele Comitini <michele.comit...@gmail.com
> wrote:
> Amit,
>
> A "self" was missing this should work:
>
> class MyX509Auth(X509Auth):
> def get_user(self):
> self.subject.surname = <put something here >
> X509Auth.get_user(self)
> auth.settings.login_form = MyX509Auth()
>
>
> 2012/11/7 Michele Comitini <michele.comit...@gmail.com>
>
>> Amit,
>>
>> in your model call the derived class
>>
>> auth.settings.login_form = MyX509Auth()
>>
>>
>>
>> 2012/11/7 Michele Comitini <michele.comit...@gmail.com>
>>
>>> simpatiCA makes the client certificates already with needed fields.
>>> Since you use openssl directly you can set all the fields you need in
>>> the certificates by changing openssl.cnf in your openssl installation.
>>> There is plenty of documentation on that.
>>>
>>> OR you can extend the class X509Auth to fit your needs by overriding
>>> get_user()
>>>
>>>
>>> class MyX509Auth(X509Auth):
>>> def get_user():
>>> self.subject.surname = <put something here >
>>> X509Auth.get_user(self)
>>>
>>>
>>> mic
>>>
>>>
>>>
>>> 2012/11/7 Amit <amit.khaw...@gmail.com>
>>>
>>>> Hi,
>>>> I filled the email address in the certificate but what I think is
>>>> problem with surname , please check below the log:
>>>>
>>>>
>>>> *File D:\web2py2.1.1\web2py\gluon\contrib\login_methods\x509_auth.py
>>>> in get_user at line 91* code arguments variables
>>>> Function argument list
>>>>
>>>> (self=<gluon.contrib.login_methods.x509_auth.X509Auth object>)
>>>> Code listing
>>>>
>>>> 86.
>>>> 87.
>>>> 88.
>>>> 89.
>>>> 90.
>>>> 91.
>>>>
>>>> 92.
>>>> 93.
>>>> 94.
>>>> 95.
>>>>
>>>>
>>>> p = profile = dict()
>>>>
>>>> username = p['username'] = reduce(lambda a,b: '%s | %s' % (a,b),
>>>> self.subject.CN or self.subject.commonName)
>>>>
>>>>
>>>>
>>>>
>>>> p['first_name'] = reduce(lambda a,b: '%s | %s' %
>>>> (a,b),self.subject.givenName or username)
>>>>
>>>>
>>>>
>>>> p['last_name'] = reduce(lambda a,b: '%s | %s' %
>>>> (a,b),self.subject.surname)
>>>>
>>>>
>>>>
>>>>
>>>> p['email'] = reduce(lambda a,b: '%s | %s' %
>>>> (a,b),self.subject.Email or self.subject.emailAddress)
>>>>
>>>>
>>>>
>>>>
>>>> # IMPORTANT WE USE THE CERT SERIAL AS UNIQUE KEY FOR THE USER
>>>> p['registration_id'] = self.serial
>>>>
>>>> Variables
>>>> a undefined b undefined builtinreduce <built-in function reduce>
>>>> self.subject.surname [] self
>>>> <gluon.contrib.login_methods.x509_auth.X509Auth
>>>> object> self.subject <Storage {'Email': ['amit1.khaw...@gmail.com'],
>>>> ...SG'], 'organizationUnitName': ['HSG'], 'SN': []}> p {'first_name':
>>>> 'A | m | i | t | 1 | | K | h | a | w | a | r | e', 'username': 'Amit1
>>>> Khaware'}
>>>>
>>>> And while generating the certificates it is not asking about surname,
>>>> it's asking below information:
>>>>
>>>> Country Name (2 letter code) [US]:
>>>> State or Province Name (full name) [CA]:
>>>> Locality Name (eg, city) [San Diego]:
>>>> Organization Name (eg, company) [Cafesoft LLC]:
>>>> Organizational Unit Name (eg, section) []:
>>>> Common Name (eg, YOUR name) []:*Cafesoft CA*
>>>> Email Address [c...@cafenet.com]:
>>>>
>>>> Please enter the following 'extra' attributes
>>>> to be sent with your certificate request
>>>> A challenge password []:*password*
>>>> An optional company name []:
>>>>
>>>>
>>>> please check the link :
>>>>
>>>>
>>>> http://www.cafesoft.com/products/cams/ps/docs30/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html
>>>>
>>>> So x509_auth.py expects surname but above link doesn't provide option
>>>> to fill surname :(
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Amit
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Nov 6, 2012 at 8:34 PM, Michele Comitini <
>>>> michele.comit...@gmail.com> wrote:
>>>>
>>>>> self.subject.Email is [] i.e. an empty list. Check if that is the
>>>>> problem.
>>>>>
>>>>> mic
>>>>> Il giorno 06/nov/2012 14:32, "Amit" <amit.khaw...@gmail.com> ha
>>>>> scritto:
>>>>>
>>>>>> I have used below link to generate server certificates, client
>>>>>> certificates and CA certificates, imported client and CA certificates
>>>>>> to
>>>>>> Mozilla Firefox browser and then deploy server certificates and CA
>>>>>> certificate to the Rocket server :
>>>>>>
>>>>>> D:\web2py2.1.1\web2py>web2py.py -a password -i 127.0.0.1 -p 8000 -c
>>>>>> C:\OpenSSL-Win32\bin\cirrusAwareCA\server\certificates\server.test.com.crt
>>>>>> -k C:\OpenSSL-Win32\bin\cirrusAwareCA\server\keys\server.test.com.key
>>>>>> --ca-cert=C:\OpenSSL-Win32\bin\cirrusAwareCA\CA\cirrusAwareCA.crt
>>>>>>
>>>>>> Then Open browser type https://127.0.0.1:8000/MyApp/default/index
>>>>>>
>>>>>> Now its giving error:
>>>>>> <type 'exceptions.TypeError'> reduce() of empty sequence with no
>>>>>> initial value Error snapshot [image: help]
>>>>>>
>>>>>> <type 'exceptions.TypeError'>(reduce() of empty sequence with no
>>>>>> initial value)
>>>>>>
>>>>>> inspect attributes
>>>>>> Frames
>>>>>>
>>>>>> -
>>>>>>
>>>>>> *File D:\web2py2.1.1\web2py\gluon\restricted.py in restricted at
>>>>>> line 209* code arguments variables
>>>>>> -
>>>>>>
>>>>>> *File
>>>>>>
>>>>>> D:\web2py2.1.1\web2py\applications\AuthenticationApp\controllers\default.py
>>>>>> in <module> at line 76* code arguments variables
>>>>>> -
>>>>>>
>>>>>> *File D:\web2py2.1.1\web2py\gluon\globals.py in <lambda> at line
>>>>>> 187* code arguments variables
>>>>>> -
>>>>>>
>>>>>> *File
>>>>>>
>>>>>> D:\web2py2.1.1\web2py\applications\AuthenticationApp\controllers\default.py
>>>>>> in user at line 38* code arguments variables
>>>>>> Code listing
>>>>>>
>>>>>> 33.
>>>>>> 34.
>>>>>> 35.
>>>>>> 36.
>>>>>> 37.
>>>>>> 38.
>>>>>>
>>>>>> 39.
>>>>>> 40.
>>>>>> 41.
>>>>>> 42.
>>>>>>
>>>>>> use @auth.requires_login()
>>>>>> @auth.requires_membership('group name')
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> @auth.requires_permission('read','table name',record_id)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> to decorate functions that need access control
>>>>>> """
>>>>>> return dict(form=auth())
>>>>>>
>>>>>>
>>>>>>
>>>>>> def download():
>>>>>> """
>>>>>>
>>>>>> -
>>>>>>
>>>>>> *File D:\web2py2.1.1\web2py\gluon\tools.py in __call__ at line
>>>>>> 1205* code arguments variables
>>>>>> -
>>>>>>
>>>>>> *File D:\web2py2.1.1\web2py\gluon\tools.py in login at line 2016*
>>>>>> code arguments variables
>>>>>> -
>>>>>>
>>>>>> *File
>>>>>> D:\web2py2.1.1\web2py\gluon\contrib\login_methods\x509_auth.py in
>>>>>> get_user
>>>>>> at line 91* code arguments variables
>>>>>> Function argument list
>>>>>>
>>>>>> (self=<gluon.contrib.login_methods.x509_auth.X509Auth object>)
>>>>>> Code listing
>>>>>>
>>>>>> 86.
>>>>>> 87.
>>>>>> 88.
>>>>>> 89.
>>>>>> 90.
>>>>>> 91.
>>>>>>
>>>>>> 92.
>>>>>> 93.
>>>>>> 94.
>>>>>> 95.
>>>>>>
>>>>>>
>>>>>> p = profile = dict()
>>>>>>
>>>>>> username = p['username'] = reduce(lambda a,b: '%s | %s' %
>>>>>> (a,b), self.subject.CN or self.subject.commonName)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> p['first_name'] = reduce(lambda a,b: '%s | %s' %
>>>>>> (a,b),self.subject.givenName or username)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> p['last_name'] = reduce(lambda a,b: '%s | %s' %
>>>>>> (a,b),self.subject.surname)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> p['email'] = reduce(lambda a,b: '%s | %s' %
>>>>>> (a,b),self.subject.Email or self.subject.emailAddress)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> # IMPORTANT WE USE THE CERT SERIAL AS UNIQUE KEY FOR THE USER
>>>>>> p['registration_id'] = self.serial
>>>>>>
>>>>>> Variables a undefined b undefined builtinreduce <built-in
>>>>>> function reduce> self.subject.surname [] self
>>>>>> <gluon.contrib.login_methods.x509_auth.X509Auth
>>>>>> object> self.subject <Storage {'Email': [], 'C': ['IN'],
>>>>>> 'serialNumbe...SG'], 'organizationUnitName': ['HSG'], 'SN': []}>
>>>>>> p {'first_name': 'A | m | i | t', 'username': 'Amit'}
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Amit
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Nov 6, 2012 at 6:42 PM, Michele Comitini <
>>>>>> michele.comit...@gmail.com> wrote:
>>>>>>
>>>>>>> https://github.com/web2py/web2py/blob/master/gluon/main.py#L824
>>>>>>>
>>>>>>> The log seems to say that your certificate file is not there, or not
>>>>>>> accessible
>>>>>>>
>>>>>>> mic
>>>>>>>
>>>>>>>
>>>>>>> 2012/11/6 Amit <amit.khaw...@gmail.com>
>>>>>>>
>>>>>>>> I am using Python 2.7.2.
>>>>>>>>
>>>>>>>> On Tue, Nov 6, 2012 at 6:33 PM, Michele Comitini <
>>>>>>>> michele.comit...@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> What is your python version?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2012/11/6 Amit <amit.khaw...@gmail.com>
>>>>>>>>>
>>>>>>>>>> Hi Michele,
>>>>>>>>>> I used Simpatica to generates the certificates but failed to
>>>>>>>>>> deploy to the web2py server, please check once the first mail in
>>>>>>>>>> this mail
>>>>>>>>>> chain where I explained the problem in details.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Amit
>>>>>>>>>>
>>>>>>>>>> On Tue, Nov 6, 2012 at 4:52 PM, Michele Comitini <
>>>>>>>>>> michele.comit...@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> I suggest looking at code gluon/contrib/login_methods/x509_auth.py.
>>>>>>>>>>> Basically you can extract anything from client supplied cert and
>>>>>>>>>>> use it
>>>>>>>>>>> with the auth tables of web2py. That is really simple.
>>>>>>>>>>> The tedious part id getting to know what stuff you can put in
>>>>>>>>>>> the cert. That is more related to managing a CA than to web2py
>>>>>>>>>>> itself.
>>>>>>>>>>>
>>>>>>>>>>> I have written a simple but functional app for managing a little
>>>>>>>>>>> CA: simpatiCA <http://goo.gl/nrAhS> ; it is simple enough to
>>>>>>>>>>> be used as an example and extended to your needs. If you need a
>>>>>>>>>>> real CA
>>>>>>>>>>> there are more featured solutions around...
>>>>>>>>>>>
>>>>>>>>>>> mic
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> > PS: the man behind X509 auth code in web2py is mcm, sadly for
>>>>>>>>>>> your it's documented how it works but not how to organize the certs
>>>>>>>>>>> (which
>>>>>>>>>>> in > theory you should know in advance)
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2012/11/6 Niphlod <niph...@gmail.com>
>>>>>>>>>>>
>>>>>>>>>>>> hem... one thing is helping you to create certs and key for a
>>>>>>>>>>>> SSL protected webserver, quite another to help you managing a
>>>>>>>>>>>> credential
>>>>>>>>>>>> store (I really don't have time for that).
>>>>>>>>>>>> You have problems on finding out what OpenSSL is and want to
>>>>>>>>>>>> manage X509 ? Really ?
>>>>>>>>>>>> Maybe it's time to read some docs.
>>>>>>>>>>>>
>>>>>>>>>>>> http://www.cafesoft.com/products/cams/ps/docs30/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> PS: the man behind X509 auth code in web2py is mcm, sadly for
>>>>>>>>>>>> your it's documented how it works but not how to organize the
>>>>>>>>>>>> certs (which
>>>>>>>>>>>> in theory you should know in advance)
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
> --
>
>
>
>
--
