| | |
| | | |
| | | An :class:`AuthTktCookiePlugin` is an ``IIdentifier`` and ``IAuthenticator`` |
| | | plugin which remembers its identity state in a client-side cookie. |
| | | This plugin uses the ``paste.auth.auth_tkt``"auth ticket" protocol. |
| | | This plugin uses the ``paste.auth.auth_tkt``"auth ticket" protocol and |
| | | is compatible with Apache's mod_auth_tkt. |
| | | It should be instantiated passing a *secret*, which is used to encrypt the |
| | | cookie on the client side and decrypt the cookie on the server side. |
| | | The cookie name used to store the cookie value can be specified |
| | |
| | | <http://westpoint.ltd.uk/advisories/Paul_Johnston_GSEC.pdf>`_ reports |
| | | that as many as 3% of users change their IP addresses legitimately |
| | | during a session. |
| | | |
| | | .. note:: |
| | | Plugin supports remembering user data in the cookie by saving user dict into ``identity['userdata']`` |
| | | parameter of ``remember`` method. They are sent unencrypted and protected by checksum. |
| | | Data will then be returned every time by ``identify``. This dict must be compatible with |
| | | ``urllib.urlencode`` function (``urllib.urlparse.urlencode`` in python 3). |
| | | Saving keys/values with unicode characters is supported only under python 3. |
| | | |
| | | .. note:: |
| | | Plugin supports multiple digest algorithms. It defaults to md5 to match |
| | | the default for mod_auth_tkt and paste.auth.auth_tkt. However md5 is not |
| | | recommended as there are viable attacks against the hash. Any algorithm |
| | | from the hashlib library can be specified, currently only sha256 and sha512 |
| | | are supported by mod_auth_tkt. |
| | | |
| | | .. module:: repoze.who.plugins.basicauth |
| | | |
| | |
| | | browsers. It challenges by sending an ``WWW-Authenticate`` header |
| | | to the browser. The single argument *realm* indicates the basic |
| | | auth realm that should be sent in the ``WWW-Authenticate`` header. |
| | | |
| | | .. module:: repoze.who.plugins.cookie |
| | | |
| | | .. class:: InsecureCookiePlugin(cookie_name) |
| | | |
| | | A :class:`InsecureCookiePlugin` is an ``IIdentifier`` plugin. It |
| | | stores identification information in an insecure form (the base64 |
| | | value of the username and password separated by a colon) in a |
| | | client-side cookie. It accepts a single required argument named |
| | | *cookie_name*. This is the cookie name of the cookie used to store |
| | | the identification information. The plugin also accepts two optional |
| | | arguments: *cookie_path* is the URL path root which scopes the cookie, |
| | | and *charset* is the name of a codec used to convert the login and password |
| | | to and from unicode. |
| | | |
| | | .. module:: repoze.who.plugins.form |
| | | |
| | | .. class:: FormPlugin(login_form_qs, rememberer_name [, formbody=None [, formcallable=None]]) |
| | | |
| | | A :class:`FormPlugin` is both an ``IIdentifier`` and ``IChallenger`` |
| | | plugin. It intercepts form POSTs to gather identification at |
| | | ingress and conditionally displays a login form at egress if |
| | | challenge is required. *login_form_qs* is a query string name used |
| | | to denote that a form POST is destined for the form plugin (anything |
| | | unique is fine), *rememberer_name* is the "configuration name" of |
| | | another ``IIdentifier`` plugin that will be used to perform |
| | | ``remember`` and ``forget`` duties for the FormPlugin (it does not |
| | | do these itself). For example, if you have a cookie identification |
| | | plugin named ``cookie`` defined in your middleware configuration, |
| | | you might set *rememberer_name* to ``cookie``. *formbody* is a |
| | | literal string that should be displayed as the form body. |
| | | *formcallable* is a callable that will return a form body if |
| | | *formbody* is None. If both *formbody* and *formcallable* are None, |
| | | a default form is used. |
| | | |
| | | .. class:: RedirectingFormPlugin(login_form_url, login_handler_path, logout_handler_path, rememberer_name) |
| | | |
| | | A :class:`RedirectingFormPlugin` is both an ``IIdentifier`` and |
| | | ``IChallenger`` plugin. It intercepts form POSTs to gather |
| | | identification at ingress and conditionally redirects a login form |
| | | at egress if challenge is required (as opposed to the |
| | | :class:`FormPlugin`, it does not handle its own form generation). |
| | | *login_form_url* is a URL that should be redirected to when a |
| | | challenge is required. *login_handler_path* is the path that the |
| | | form will POST to, signifying that the plugin should gather |
| | | credentials. *logout_handler_path* is a path that can be called to |
| | | log the current user out when visited. *rememberer_name* is the |
| | | configuration name of another ``IIdentifier`` plugin that will be |
| | | used to perform ``remember`` and ``forget`` duties for the |
| | | RedirectingFormPlugin (it does not do these itself). For example, |
| | | if you have a cookie identification plugin named ``cookie`` defined |
| | | in your middleware configuration, you might set *rememberer_name* to |
| | | ``cookie``. |
| | | |
| | | .. module:: repoze.who.plugins.htpasswd |
| | | |
| | |
| | | available for use as a check function (on UNIX) as |
| | | ``repoze.who.plugins.htpasswd:crypt_check``; it assumes the values |
| | | in the htpasswd file are encrypted with the UNIX ``crypt`` function. |
| | | |
| | | .. module:: repoze.who.plugins.redirector |
| | | |
| | | .. class:: RedirectorPlugin(login_url, came_from_param, reason_param, reason_header) |
| | | |
| | | A :class:`RedirectorPlugin` is an ``IChallenger`` plugin. |
| | | It redirects to a configured login URL at egress if a challenge is |
| | | required . |
| | | *login_url* is the URL that should be redirected to when a |
| | | challenge is required. *came_from_param* is the name of an optional |
| | | query string parameter: if configured, the plugin provides the current |
| | | request URL in the redirected URL's query string, using the supplied |
| | | parameter name. *reason_param* is the name of an optional |
| | | query string parameter: if configured, and the application supplies |
| | | a header matching *reason_header* (defaulting to |
| | | ``X-Authorization-Failure-Reason``), the plugin includes that reason in |
| | | the query string of the redirected URL, using the supplied parameter name. |
| | | *reason_header* is an optional parameter overriding the default response |
| | | header name (``X-Authorization-Failure-Reason``) which |
| | | the plugin checks to find the application-supplied reason for the challenge. |
| | | *reason_header* cannot be set unless *reason_param* is also set. |
| | | |
| | | .. module:: repoze.who.plugins.sql |
| | | |
| | |
| | | See :ref:`default_plugins`. |
| | | |
| | | |
| | | Deprecated plugins |
| | | ------------------ |
| | | |
| | | The :mod:`repoze.who.deprecatedplugins` distribution bundles the following |
| | | plugin implementations which were shipped with :mod:`repoze.who` prior |
| | | to version 2.0a3. These plugins are deprecated, and should only be used |
| | | while migrating an existing deployment to replacement versions. |
| | | |
| | | :class:`repoze.who.plugins.cookie.InsecureCookiePlugin` |
| | | An ``IIdentifier`` plugin which stores identification information in an |
| | | insecure form (the base64 value of the username and password separated by |
| | | a colon) in a client-side cookie. Please use the |
| | | :class:`AuthTktCookiePlugin` instead. |
| | | |
| | | :class:`repoze.who.plugins.form.FormPlugin` |
| | | |
| | | An ``IIdentifier`` and ``IChallenger`` plugin, which intercepts form POSTs |
| | | to gather identification at ingress and conditionally displays a login form |
| | | at egress if challenge is required. |
| | | |
| | | Applications should supply their |
| | | own login form, and use :class:`repoze.who.api.API` to authenticate |
| | | and remember users. To replace the challenger role, please use |
| | | :class:`repoze.who.plugins.redirector.RedirectorPlugin`, configured with |
| | | the URL of your application's login form. |
| | | |
| | | :class:`repoze.who.plugins.form.RedirectingFormPlugin` |
| | | |
| | | An ``IIdentifier`` and ``IChallenger`` plugin, which intercepts form POSTs |
| | | to gather identification at ingress and conditionally redirects a login form |
| | | at egress if challenge is required. |
| | | |
| | | Applications should supply their |
| | | own login form, and use :class:`repoze.who.api.API` to authenticate |
| | | and remember users. To replace the challenger role, please use |
| | | :class:`repoze.who.plugins.redirector.RedirectorPlugin`, configured with |
| | | the URL of your application's login form. |
| | | |
| | | |
| | | Third-party Plugins |
| | | ------------------- |
| | | |