1
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
4
<title>6.1.2.3 Authentication</title>
5
<META NAME="description" CONTENT="6.1.2.3 Authentication">
6
<META NAME="keywords" CONTENT="modpython">
7
<META NAME="resource-type" CONTENT="document">
8
<META NAME="distribution" CONTENT="global">
9
<link rel="STYLESHEET" href="modpython.css">
10
<link rel="first" href="modpython.html">
11
<link rel="contents" href="contents.html" title="Contents">
12
<link rel="index" href="genindex.html" title="Index">
13
<LINK REL="previous" href="hand-pub-alg-args.html">
14
<LINK REL="up" href="hand-pub-alg.html">
15
<LINK REL="next" HREF="node92.html">
18
<DIV CLASS="navigation">
19
<table align="center" width="100%" cellpadding="0" cellspacing="2">
21
<td><A href="hand-pub-alg-args.html"><img src="icons/previous.gif"
22
border="0" height="32"
23
alt="Previous Page" width="32"></A></td>
24
<td><A href="hand-pub-alg.html"><img src="icons/up.gif"
25
border="0" height="32"
26
alt="Up One Level" width="32"></A></td>
27
<td><A HREF="node92.html"><img src="icons/next.gif"
28
border="0" height="32"
29
alt="Next Page" width="32"></A></td>
30
<td align="center" width="100%">Mod_python Manual</td>
31
<td><A href="contents.html"><img src="icons/contents.gif"
32
border="0" height="32"
33
alt="Contents" width="32"></A></td>
34
<td><img src="icons/blank.gif"
35
border="0" height="32"
36
alt="" width="32"></td>
37
<td><A href="genindex.html"><img src="icons/index.gif"
38
border="0" height="32"
39
alt="Index" width="32"></A></td>
41
<b class="navlabel">Previous:</b> <a class="sectref" href="hand-pub-alg-args.html">6.1.2.2 Argument Matching and</A>
42
<b class="navlabel">Up:</b> <a class="sectref" href="hand-pub-alg.html">6.1.2 The Publishing Algorithm</A>
43
<b class="navlabel">Next:</b> <a class="sectref" HREF="node92.html">6.1.3 Form Data</A>
46
<!--End of Navigation Panel-->
48
<H3><A NAME="SECTION008123000000000000000"> </A>
50
6.1.2.3 Authentication
54
The publisher handler provides simple ways to control access to
55
modules and functions.
58
At every traversal step, the Publisher handler checks for presence of
59
<tt class="method">__auth__</tt> and <tt class="method">__access__</tt> attributes (in this order), as
60
well as <tt class="method">__auth_realm__</tt> attribute.
63
If <tt class="method">__auth__</tt> is found and it is callable, it will be called
64
with three arguments: the <tt class="class">Request</tt> object, a string containing
65
the user name and a string containing the password. If the return
67
<code>__auth__</code> is false, then <tt class="constant">HTTP_UNAUTHORIZED</tt> is
68
returned to the client (which will usually cause a password dialog box
72
If <tt class="method">__auth__</tt> is a dictionary, then the user name will be
73
matched against the key and the password against the value associated
74
with this key. If the key and password do not match,
75
<tt class="constant">HTTP_UNAUTHORIZED</tt> is returned. Note that this requires
76
storing passwords as clear text in source code, which is not very secure.
79
<tt class="method">__auth__</tt> can also be a constant. In this case, if it is false
80
(i.e. <tt class="constant">None</tt>, <code>0</code>, <code>""</code>, etc.), then
81
<tt class="constant">HTTP_UNAUTHORIZED</tt> is returned.
84
If there exists an <code>__auth_realm__</code> string, it will be sent
85
to the client as Authorization Realm (this is the text that usually
86
appears at the top of the password dialog box).
89
If <tt class="method">__access__</tt> is found and it is callable, it will be called
90
with two arguments: the <tt class="class">Request</tt> object and a string containing
91
the user name. If the return value of <code>__access__</code> is false, then
92
<tt class="constant">HTTP_FORBIDDEN</tt> is returned to the client.
95
If <tt class="method">__access__</tt> is a list, then the user name will be matched
96
against the list elements. If the user name is not in the list,
97
<tt class="constant">HTTP_FORBIDDEN</tt> is returned.
100
Similarly to <tt class="method">__auth__</tt>, <tt class="method">__access__</tt> can be a constant.
103
In the example below, only user "<tt class="samp">eggs</tt>" with password "<tt class="samp">spam</tt>"can access the <code>hello</code> function:
106
<dl><dd><pre class="verbatim">
107
__auth_realm__ = "Members only"
109
def __auth__(req, user, passwd):
111
if user == "eggs" and passwd == "spam" or \
112
user == "joe" and passwd == "eoj":
117
def __access__(req, user):
128
Here is the same functionality, but using an alternative technique:
131
<dl><dd><pre class="verbatim">
132
__auth_realm__ = "Members only"
133
__auth__ = {"eggs":"spam", "joe":"eoj"}
134
__access__ = ["eggs"]
141
Since functions cannot be assigned attributes, to protect a function,
142
an <code>__auth__</code> or <code>__access__</code> function can be defined within
146
<dl><dd><pre class="verbatim">
149
def __auth__(req, user, password):
150
if user == 'spam' and password == 'eggs':
157
# something involving sensitive information
158
return 'sensitive information`
162
Note that this technique will also work if <code>__auth__</code> or
163
<code>__access__</code> is a constant, but will not work is they are
164
a dictionary or a list.
167
The <code>__auth__</code> and <code>__access__</code> mechanisms exist
168
independently of the standard
169
<em class="citetitle"><a
170
href="dir-handlers-auh.html"
171
title="PythonAuthenHandler"
172
>PythonAuthenHandler</a></em>. It
173
is possible to use, for example, the handler to authenticate, then the
174
<code>__access__</code> list to verify that the authenticated user is
175
allowed to a particular function.
178
<div class="note"><b class="label">Note:</b>
179
In order for mod_python to access <tt class="function">__auth__</tt>,
180
the module containing it must first be imported. Therefore, any
181
module-level code will get executed during the import even if
182
<tt class="function">__auth__</tt> is false. To truly protect a module from
183
being accessed, use other authentication mechanisms, e.g. the Apache
184
<code>mod_auth</code> or with a mod_python <em class="citetitle"><a
185
href="dir-handlers-auh.html"
186
title="PythonAuthenHandler"
187
>PythonAuthenHandler</a></em> handler.
192
<DIV CLASS="navigation">
194
<table align="center" width="100%" cellpadding="0" cellspacing="2">
196
<td><A href="hand-pub-alg-args.html"><img src="icons/previous.gif"
197
border="0" height="32"
198
alt="Previous Page" width="32"></A></td>
199
<td><A href="hand-pub-alg.html"><img src="icons/up.gif"
200
border="0" height="32"
201
alt="Up One Level" width="32"></A></td>
202
<td><A HREF="node92.html"><img src="icons/next.gif"
203
border="0" height="32"
204
alt="Next Page" width="32"></A></td>
205
<td align="center" width="100%">Mod_python Manual</td>
206
<td><A href="contents.html"><img src="icons/contents.gif"
207
border="0" height="32"
208
alt="Contents" width="32"></A></td>
209
<td><img src="icons/blank.gif"
210
border="0" height="32"
211
alt="" width="32"></td>
212
<td><A href="genindex.html"><img src="icons/index.gif"
213
border="0" height="32"
214
alt="Index" width="32"></A></td>
216
<b class="navlabel">Previous:</b> <a class="sectref" href="hand-pub-alg-args.html">6.1.2.2 Argument Matching and</A>
217
<b class="navlabel">Up:</b> <a class="sectref" href="hand-pub-alg.html">6.1.2 The Publishing Algorithm</A>
218
<b class="navlabel">Next:</b> <a class="sectref" HREF="node92.html">6.1.3 Form Data</A>
220
<span class="release-info">Release 3.1.3, documentation updated on February 17, 2004.</span>
222
<!--End of Navigation Panel-->