

distrib > Mandriva > 9.2 > i586 > by-pkgid > dddfd1c874d00a6a720179bd81bafd8d > files > 57


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<title> Authentication</title>
<META NAME="description" CONTENT=" Authentication">
<META NAME="keywords" CONTENT="modpython">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">
<link rel="STYLESHEET" href="modpython.css">
<link rel="first" href="modpython.html">
<link rel="contents" href="contents.html" title="Contents">
<link rel="index" href="genindex.html" title="Index">
<LINK REL="previous" href="hand-pub-alg-args.html">
<LINK REL="up" href="hand-pub-alg.html">
<LINK REL="next" HREF="node94.html">
<DIV CLASS="navigation">
<table align="center" width="100%" cellpadding="0" cellspacing="2">
<td><A href="hand-pub-alg-args.html"><img src="icons/previous.png"
  border="0" height="32"
  alt="Previous Page" width="32"></A></td>
<td><A href="hand-pub-alg.html"><img src="icons/up.png"
  border="0" height="32"
  alt="Up One Level" width="32"></A></td>
<td><A HREF="node94.html"><img src="icons/next.png"
  border="0" height="32"
  alt="Next Page" width="32"></A></td>
<td align="center" width="100%">Mod_python Manual</td>
<td><A href="contents.html"><img src="icons/contents.png"
  border="0" height="32"
  alt="Contents" width="32"></A></td>
<td><img src="icons/blank.png"
  border="0" height="32"
  alt="" width="32"></td>
<td><A href="genindex.html"><img src="icons/index.png"
  border="0" height="32"
  alt="Index" width="32"></A></td>
<b class="navlabel">Previous:</b> <a class="sectref" href="hand-pub-alg-args.html"> Argument Matching and</A>
<b class="navlabel">Up:</b> <a class="sectref" href="hand-pub-alg.html">6.1.2 The Publishing Algorithm</A>
<b class="navlabel">Next:</b> <a class="sectref" HREF="node94.html">6.1.3 Form Data</A>
<!--End of Navigation Panel-->

<H3><A NAME="SECTION008123000000000000000">&nbsp;</A>
<BR> Authentication

The publisher handler provides simple ways to control access to
modules and functions.

At every traversal step, the Publisher handler checks for presence of
<tt class="method">__auth__</tt> and <tt class="method">__access__</tt> attributes (in this order), as 
well as <tt class="method">__auth_realm__</tt> attribute. 

If <tt class="method">__auth__</tt> is found and it is callable, it will be called
with three arguments: the <tt class="class">Request</tt> object, a string containing
the user name and a string containing the password. If the return
value of
<code>__auth__</code> is false, then <tt class="constant">HTTP_UNAUTHORIZED</tt> is
returned to the client (which will usually cause a password dialog box
to appear).

If <tt class="method">__auth__</tt> is a dictionary, then the user name will be
matched against the key and the password against the value associated
with this key. If the key and password do not match, 
<tt class="constant">HTTP_UNAUTHORIZED</tt> is returned. Note that this requires
storing passwords as clear text in source code, which is not very secure.

<tt class="method">__auth__</tt> can also be a constant. In this case, if it is false
(i.e. <tt class="constant">None</tt>, <code>0</code>, <code>""</code>, etc.), then 
<tt class="constant">HTTP_UNAUTHORIZED</tt> is returned.

If there exists an <code>__auth_realm__</code> string, it will be sent
to the client as Authorization Realm (this is the text that usually
appears at the top of the password dialog box).

If <tt class="method">__access__</tt> is found and it is callable, it will be called
with two arguments: the <tt class="class">Request</tt> object and a string containing
the user name. If the return value of <code>__access__</code> is false, then
<tt class="constant">HTTP_FORBIDDEN</tt> is returned to the client.

If <tt class="method">__access__</tt> is a list, then the user name will be matched
against the list elements. If the user name is not in the list, 
<tt class="constant">HTTP_FORBIDDEN</tt> is returned.

Similarly to <tt class="method">__auth__</tt>, <tt class="method">__access__</tt> can be a constant.

In the example below, only user "<tt class="samp">eggs</tt>" with password "<tt class="samp">spam</tt>"can access the <code>hello</code> function:

<dl><dd><pre class="verbatim">
  __auth_realm__ = "Members only"

  def __auth__(req, user, passwd):

  if user == "eggs" and passwd == "spam" or \
  user == "joe" and passwd == "eoj":
  return 1
  return 0

  def __access__(req, user):
  if user == "eggs":
  return 1
  return 0

  def hello(req):
  return "hello"

Here is the same functionality, but using an alternative technique:

<dl><dd><pre class="verbatim">
  __auth_realm__ = "Members only"
  __auth__ = {"eggs":"spam", "joe":"eoj"}
  __access__ = ["eggs"]

  def hello(req):
  return "hello"

Since functions cannot be assigned attributes, to protect a function,
an <code>__auth__</code> or <code>__access__</code> function can be defined within
the function, e.g.:

<dl><dd><pre class="verbatim">
  def sensitive(req):

  def __auth__(req, user, password):
  if user == 'spam' and password == 'eggs':
  # let them in
  return 1
  # no access
  return 0

  # something involving sensitive information
  return 'sensitive information`

Note that this technique will also work if <code>__auth__</code> or
<code>__access__</code> is a constant, but will not work is they are
a dictionary or a list. 

The <code>__auth__</code> and <code>__access__</code> mechanisms exist
independently of the standard 
<em class="citetitle"><a
 >PythonAuthenHandler</a></em>. It
is possible to use, for example, the handler to authenticate, then the
<code>__access__</code> list to verify that the authenticated user is
allowed to a particular function. 

<div class="note"><b class="label">Note:</b>
In order for mod_python to access <tt class="function">__auth__</tt>,
the module containing it must first be imported. Therefore, any
module-level code will get executed during the import even if
<tt class="function">__auth__</tt> is false.  To truly protect a module from
being accessed, use other authentication mechanisms, e.g. the Apache
<code>mod_auth</code> or with a mod_python <em class="citetitle"><a
 >PythonAuthenHandler</a></em> handler.


<DIV CLASS="navigation">
<table align="center" width="100%" cellpadding="0" cellspacing="2">
<td><A href="hand-pub-alg-args.html"><img src="icons/previous.png"
  border="0" height="32"
  alt="Previous Page" width="32"></A></td>
<td><A href="hand-pub-alg.html"><img src="icons/up.png"
  border="0" height="32"
  alt="Up One Level" width="32"></A></td>
<td><A HREF="node94.html"><img src="icons/next.png"
  border="0" height="32"
  alt="Next Page" width="32"></A></td>
<td align="center" width="100%">Mod_python Manual</td>
<td><A href="contents.html"><img src="icons/contents.png"
  border="0" height="32"
  alt="Contents" width="32"></A></td>
<td><img src="icons/blank.png"
  border="0" height="32"
  alt="" width="32"></td>
<td><A href="genindex.html"><img src="icons/index.png"
  border="0" height="32"
  alt="Index" width="32"></A></td>
<b class="navlabel">Previous:</b> <a class="sectref" href="hand-pub-alg-args.html"> Argument Matching and</A>
<b class="navlabel">Up:</b> <a class="sectref" href="hand-pub-alg.html">6.1.2 The Publishing Algorithm</A>
<b class="navlabel">Next:</b> <a class="sectref" HREF="node94.html">6.1.3 Form Data</A>
<span class="release-info">Release 3.1.0a, documentation updated on August 26, 2003.</span>
<!--End of Navigation Panel-->