From d7df42ae13a2a9bfb73a76ed96997dad88a794a9 Mon Sep 17 00:00:00 2001 From: David Tulloh <git-david@tulloh.id.au> Date: Tue, 31 May 2016 18:24:05 +0200 Subject: [PATCH] Document the new digest_algo parameter --- docs/configuration.rst | 3 ++- docs/plugins.rst | 10 +++++++++- docs/examples/standalone_login.py | 1 + docs/examples/standalone_login_no_who.py | 3 ++- docs/examples/hybrid/example.py | 2 +- 5 files changed, 15 insertions(+), 4 deletions(-) diff --git a/docs/configuration.rst b/docs/configuration.rst index 9400191..68cd9f9 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -103,7 +103,7 @@ return password == hashed htpasswd = HTPasswdPlugin(io, cleartext_check) basicauth = BasicAuthPlugin('repoze.who') - auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt') + auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt', digest_algo="sha512") redirector = RedirectorPlugin('/login.html') redirector.classifications = {IChallenger:['browser'],} # only for browser identifiers = [('auth_tkt', auth_tkt), @@ -220,6 +220,7 @@ cookie_name = oatmeal secure = False include_ip = False + digest_algo = sha512 [plugin:basicauth] # identification and challenge diff --git a/docs/examples/hybrid/example.py b/docs/examples/hybrid/example.py index 720a8ff..4ce4fcf 100644 --- a/docs/examples/hybrid/example.py +++ b/docs/examples/hybrid/example.py @@ -183,7 +183,7 @@ ## other plugins basicauth = BasicAuthPlugin('repoze.who') - auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt') + auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt', digest_algo="sha512") redirector = RedirectorPlugin(login_url='/login.html') redirector.classifications = {IChallenger:['browser'] } # only for browser diff --git a/docs/examples/standalone_login.py b/docs/examples/standalone_login.py index 37283ff..bfb07fd 100644 --- a/docs/examples/standalone_login.py +++ b/docs/examples/standalone_login.py @@ -44,6 +44,7 @@ cookie_name = auth_cookie secure = True include_ip = True +digest_algo = sha512 [general] request_classifier = repoze.who.classifiers:default_request_classifier diff --git a/docs/examples/standalone_login_no_who.py b/docs/examples/standalone_login_no_who.py index 7d750e9..48defd4 100644 --- a/docs/examples/standalone_login_no_who.py +++ b/docs/examples/standalone_login_no_who.py @@ -75,7 +75,8 @@ if _validate(login_name, password): headers = [('Location', came_from)] ticket = auth_tkt.AuthTicket(SECRET, login_name, remote_addr, - cookie_name=COOKIE_NAME, secure=True) + cookie_name=COOKIE_NAME, secure=True, + digest_algo="sha512") headers = _get_cookies(environ, ticket.cookie_value()) headers.append(('Location', came_from)) start_response('302 Found', headers) diff --git a/docs/plugins.rst b/docs/plugins.rst index 21c0b33..2eb7996 100644 --- a/docs/plugins.rst +++ b/docs/plugins.rst @@ -69,7 +69,8 @@ An :class:`AuthTktCookiePlugin` is an ``IIdentifier`` and ``IAuthenticator`` plugin which remembers its identity state in a client-side cookie. - This plugin uses the ``paste.auth.auth_tkt``"auth ticket" protocol. + This plugin uses the ``paste.auth.auth_tkt``"auth ticket" protocol and + is compatible with Apache's mod_auth_tkt. It should be instantiated passing a *secret*, which is used to encrypt the cookie on the client side and decrypt the cookie on the server side. The cookie name used to store the cookie value can be specified @@ -96,6 +97,13 @@ ``urllib.urlencode`` function (``urllib.urlparse.urlencode`` in python 3). Saving keys/values with unicode characters is supported only under python 3. +.. note:: + Plugin supports multiple digest algorithms. It defaults to md5 to match + the default for mod_auth_tkt and paste.auth.auth_tkt. However md5 is not + recommended as there are viable attacks against the hash. Any algorithm + from the hashlib library can be specified, currently only sha256 and sha512 + are supported by mod_auth_tkt. + .. module:: repoze.who.plugins.basicauth .. class:: BasicAuthPlugin(realm) -- Gitblit v1.9.3