CHANGES.txt | ●●●●● patch | view | raw | blame | history | |
docs/configuration.rst | ●●●●● patch | view | raw | blame | history | |
docs/plugins.rst | ●●●●● patch | view | raw | blame | history | |
repoze/who/plugins/cookie.py | ●●●●● patch | view | raw | blame | history | |
repoze/who/plugins/form.py | ●●●●● patch | view | raw | blame | history | |
repoze/who/plugins/tests/test_cookie.py | ●●●●● patch | view | raw | blame | history | |
repoze/who/plugins/tests/test_form.py | ●●●●● patch | view | raw | blame | history |
CHANGES.txt
@@ -4,18 +4,27 @@ After 2.0a2 (unreleased) ------------------------ - Make the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a - Deprecated the following plugins, moving their modules, tests, and docs to a new``repoze.who.deprecatedplugins`` distribution: - ``repoze.who.plugins.cookie.InsecureCookiePlugin`` - ``repoze.who.plugins.form.FormPlugin - ``repoze.who.plugins.form.RedirectingFormPlugin - Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a ``charset`` argument, and use to to encode / decode login and password. See http://bugs.repoze.org/issue155 - In ``repoze.who.restrict``, return headers as a list, to keep ``wsgiref`` from complaining. - Updated ``repoze.who.restrict`` to return headers as a list, to keep ``wsgiref`` from complaining. - Help default request classifier cope with xml submissions with an - Helped default request classifier cope with xml submissions with an explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo M. Catucci) - Correct the handling of type and subtype when matching an XML post - Corrected the handling of type and subtype when matching an XML post to ``xmlpost`` in the default classifier, which, according to RFC 2045, must be matched case-insensitively: http://bugs.repoze.org/issue145 (Lorenzo M. Catucci) docs/configuration.rst
@@ -91,8 +91,7 @@ from repoze.who.interfaces import IChallenger from repoze.who.plugins.basicauth import BasicAuthPlugin from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin from repoze.who.plugins.cookie import InsecureCookiePlugin from repoze.who.plugins.form import FormPlugin from repoze.who.plugins.redirector import RedirectorPlugin from repoze.who.plugins.htpasswd import HTPasswdPlugin io = StringIO() @@ -105,15 +104,13 @@ htpasswd = HTPasswdPlugin(io, cleartext_check) basicauth = BasicAuthPlugin('repoze.who') auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt') form = FormPlugin('__do_login', rememberer_name='auth_tkt') form.classifications = { IIdentifier:['browser'], IChallenger:['browser'] } # only for browser identifiers = [('form', form), ('auth_tkt', auth_tkt), redirector = FormPlugin('/login.html') redirector.classifications = {IChallenger:['browser'],} # only for browser identifiers = [('auth_tkt', auth_tkt), ('basicauth', basicauth)] authenticators = [('auth_tkt', auth_tkt), ('htpasswd', htpasswd)] challengers = [('form', form), challengers = [('redirector', redirector), ('basicauth', basicauth)] mdproviders = [] @@ -138,16 +135,12 @@ The above example configures the repoze.who middleware with: - Three ``IIdentifier`` plugins (form auth, auth_tkt cookie, and a basic auth plugin). The form auth plugin is set up to fire only when the request is a ``browser`` request (as per the combination of the request classifier returning ``browser`` and the framework checking against the *classifications* attribute of the plugin, which limits ``IIdentifier`` and ``IChallenger`` to the ``browser`` classification only). In this setup, when "identification" needs to be performed, the form auth plugin will be checked first (if the request is a browser request), then the auth_tkt cookie plugin, then the basic auth plugin. - Two ``IIdentifier`` plugins (auth_tkt cookie, and a basic auth plugin). In this setup, when "identification" needs to be performed, the auth_tkt plugin will be checked first, then the basic auth plugin. The application is responsible for handling login via a form: this view would use the API (via :method:`remember`) to generate apprpriate response headers. - Two ``IAuthenticator`` plugins: the auth_tkt plugin and an htpasswd plugin. The auth_tkt plugin performs both ``IIdentifier`` and ``IAuthenticator`` @@ -156,8 +149,8 @@ and password is found via any identifier, it will be checked against this authenticator. - Two ``IChallenger`` plugins: the form plugin, then the basic auth plugin. The form auth will fire if the request is a ``browser`` - Two ``IChallenger`` plugins: the redirector plugin, then the basic auth plugin. The redirector auth will fire if the request is a ``browser`` request, otherwise the basic auth plugin will fire. The rest of the middleware configuration is for values like logging @@ -210,12 +203,10 @@ identification plugins. The htpasswd and sqlusers plugins are nominated to act as authenticator plugins. :: [plugin:form] [plugin:redirector] # identificaion and challenge use = repoze.who.plugins.form:make_plugin login_form_qs = __do_login rememberer_name = auth_tkt form = %(here)s/login_form.html use = repoze.who.plugins.redirector:make_plugin login_url = /login.html [plugin:auth_tkt] # identification and authentication @@ -258,7 +249,6 @@ [identifiers] # plugin_name;classifier_name:.. or just plugin_name (good for any) plugins = form;browser auth_tkt basicauth @@ -272,7 +262,7 @@ [challengers] # plugin_name;classifier_name:.. or just plugin_name (good for any) plugins = form;browser redirector;browser basicauth [mdproviders] @@ -280,12 +270,9 @@ sqlproperties The basicauth section configures a plugin that does identification and challenge for basic auth credentials. The form section configures a plugin that does identification and challenge (its implementation defers to the cookie plugin for identification "forget" and "remember" duties, thus the "identifier_impl_name" key; this is looked up at runtime). The auth_tkt section configures a plugin that does identification for cookie auth credentials, as well as authenticating challenge for basic auth credentials. The redirector section configures a plugin that does challenges. The auth_tkt section configures a plugin that does identification for cookie auth credentials, as well as authenticating them. The htpasswd plugin obtains its user info from a file. The sqlusers plugin obtains its user info from a Postgres database. @@ -295,8 +282,7 @@ are in the form "plugin_name;requestclassifier_name:..." (or just "plugin_name" if the plugin can be consulted regardless of the classification of the request). The configuration above indicates that the system will look for credentials using the form plugin (if the request is classified as a browser request), then the cookie that the system will look for credentials using the auth_tkt cookie identifier (unconditionally), then the basic auth plugin (unconditionally). @@ -322,6 +308,6 @@ provide challenger capability. These will be consulted in the defined order, so the system will consult the cookie auth plugin first, then the basic auth plugin. Each will have a chance to initiate a challenge. The above configuration indicates that the form challenger challenge. The above configuration indicates that the redirector challenger will fire if it's a browser request, and the basic auth challenger will fire if it's not (fallback). docs/plugins.rst
@@ -101,59 +101,6 @@ to the browser. The single argument *realm* indicates the basic auth realm that should be sent in the ``WWW-Authenticate`` header. .. module:: repoze.who.plugins.cookie .. class:: InsecureCookiePlugin(cookie_name) A :class:`InsecureCookiePlugin` is an ``IIdentifier`` plugin. It stores identification information in an insecure form (the base64 value of the username and password separated by a colon) in a client-side cookie. It accepts a single required argument named *cookie_name*. This is the cookie name of the cookie used to store the identification information. The plugin also accepts two optional arguments: *cookie_path* is the URL path root which scopes the cookie, and *charset* is the name of a codec used to convert the login and password to and from unicode. .. module:: repoze.who.plugins.form .. class:: FormPlugin(login_form_qs, rememberer_name [, formbody=None [, formcallable=None]]) A :class:`FormPlugin` is both an ``IIdentifier`` and ``IChallenger`` plugin. It intercepts form POSTs to gather identification at ingress and conditionally displays a login form at egress if challenge is required. *login_form_qs* is a query string name used to denote that a form POST is destined for the form plugin (anything unique is fine), *rememberer_name* is the "configuration name" of another ``IIdentifier`` plugin that will be used to perform ``remember`` and ``forget`` duties for the FormPlugin (it does not do these itself). For example, if you have a cookie identification plugin named ``cookie`` defined in your middleware configuration, you might set *rememberer_name* to ``cookie``. *formbody* is a literal string that should be displayed as the form body. *formcallable* is a callable that will return a form body if *formbody* is None. If both *formbody* and *formcallable* are None, a default form is used. .. class:: RedirectingFormPlugin(login_form_url, login_handler_path, logout_handler_path, rememberer_name) A :class:`RedirectingFormPlugin` is both an ``IIdentifier`` and ``IChallenger`` plugin. It intercepts form POSTs to gather identification at ingress and conditionally redirects a login form at egress if challenge is required (as opposed to the :class:`FormPlugin`, it does not handle its own form generation). *login_form_url* is a URL that should be redirected to when a challenge is required. *login_handler_path* is the path that the form will POST to, signifying that the plugin should gather credentials. *logout_handler_path* is a path that can be called to log the current user out when visited. *rememberer_name* is the configuration name of another ``IIdentifier`` plugin that will be used to perform ``remember`` and ``forget`` duties for the RedirectingFormPlugin (it does not do these itself). For example, if you have a cookie identification plugin named ``cookie`` defined in your middleware configuration, you might set *rememberer_name* to ``cookie``. .. module:: repoze.who.plugins.htpasswd .. class:: HTPasswdPlugin(filename, check) @@ -556,6 +503,45 @@ See :ref:`default_plugins`. Deprecated plugins ------------------ The :mod:`repoze.who.deprecatedplugins` distribution bundles the following plugin implementations which were shipped with :mod:`repoze.who` prior to version 2.0a3. These plugins are deprecated, and should only be used while migrating an existing deployment to replacement versions. :class:`repoze.who.plugins.cookie.InsecureCookiePlugin` An ``IIdentifier`` plugin which stores identification information in an insecure form (the base64 value of the username and password separated by a colon) in a client-side cookie. Please use the :class:`AuthTktCookiePlugin` instead. :class:`repoze.who.plugins.form.FormPlugin` An ``IIdentifier`` and ``IChallenger`` plugin, which intercepts form POSTs to gather identification at ingress and conditionally displays a login form at egress if challenge is required. Applications should supply their own login form, and use :class:`repoze.who.api.API` to authenticate and remember users. To replace the challenger role, please use :class:`repoze.who.plugins.redirector.RedirectorPlugin`, configured with the URL of your application's login form. :class:`repoze.who.plugins.form.RedirectingFormPlugin` An ``IIdentifier`` and ``IChallenger`` plugin, which intercepts form POSTs to gather identification at ingress and conditionally redirects a login form at egress if challenge is required. Applications should supply their own login form, and use :class:`repoze.who.api.API` to authenticate and remember users. To replace the challenger role, please use :class:`repoze.who.plugins.redirector.RedirectorPlugin`, configured with the URL of your application's login form. Third-party Plugins ------------------- repoze/who/plugins/cookie.py
File was deleted repoze/who/plugins/form.py
File was deleted repoze/who/plugins/tests/test_cookie.py
File was deleted repoze/who/plugins/tests/test_form.py
File was deleted