Eric, I may have found a way to do it, but it's not pretty.
Create a controller that only has login / logout methods. The login method
will return your token that is saved somewhere (cache or database).
Then in other controllers where you need to enforce token authentication,
put this into your call() method:
if 'token' in request.vars:
token = request.vars.token
if token != 'test': # you would put your own token checking logic
here
raise HTTP(401, 'Supplied token was not valid.')
else:
raise HTTP(401, 'Token must supplied as a variable in the query
string.')
return service()
Now, to get a token, call your login method (that is in another controller):
x =
xmlrpclib.ServerProxy('http://127.0.0.1:8000/rpc_test/auth/login/xmlrpc')
try:
token = x.login(username, password)
except:
print 'Login failed'
x =
xmlrpclib.ServerProxy('http://127.0.0.1:8000/rpc_test/my_controller/call/xmlrpc?token=%s'
% token)
try:
x.my_method(a, b)
x.add(1,2)
except:
print 'Not authorized'
What happens here is you login, get the token, then make a new connection
with the token, which is checked for every call you make to my_controller.
You do not need to include the token in the API at all with this method, but
again, it's kind of a hacky way to do it. I'm not sure how X509 works, but
if Massimo says that's the way to go, then I'm going to wait before
implementing it the way described here. I have a couple of weeks before I
have to worry about this, I'm just doing preliminary research right now.
