Re: Digest authentication for Xavante?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Digest authentication for Xavante?

Javier Guerra Giraldez
On Sunday 08 January 2006 5:53 am, Alexander Altshuler wrote:
> Does Xavante support in any way digest authentication?

not by itself

in fact, i haven't really read the digest authentication specification; i
can't claim to understand it.

this is the kind of feature that shouldn't be in the core but in a special
handler.  i think right now it would be very awkward to make into a handler;
but the next idea is to abstract much more functionality into handlers.  
specifically, the main dispatcher would be a handler that calls more
handlers.

any authentication module could then be a handler that calls the real handlers
(CGILua, filehandler, or even the main dispatcher) after doing it's work.

or maybe i'm totally offbase, and the authentication can be done just reading
some headers.... if so, a simple function to check it would be enough.

care to enlighten us about the digest authentication method?

--
Javier
Reply | Threaded
Open this post in threaded view
|

Re: Digest authentication for Xavante?

Diego Nehab-3
Hi,

> in fact, i haven't really read the digest authentication specification; i
> can't claim to understand it.

I think all you need is base64 encoding (LuaSocket gives that to you)
and md5 (Roberto used to have a library for that). It's very similar to
the basic.

Regards,
Diego.
Reply | Threaded
Open this post in threaded view
|

Re: Digest authentication for Xavante?

Petite Abeille

On Jan 11, 2006, at 23:43, Diego Nehab wrote:

>> in fact, i haven't really read the digest authentication
>> specification; i
>> can't claim to understand it.
>
> I think all you need is base64 encoding (LuaSocket gives that to you)
> and md5 (Roberto used to have a library for that). It's very similar to
> the basic.

Here is an example implementation:

http://dev.alt.textdrive.com/file/LW/LWDigestAuthentication.lua

Cheers

--
PA, Onnay Equitursay
http://alt.textdrive.com/

Reply | Threaded
Open this post in threaded view
|

RE: Digest authentication for Xavante?

Alexander Altshuler
In reply to this post by Javier Guerra Giraldez
Hi

12.01.2005 Javier Guerra wrote
>or maybe i'm totally offbase, and the authentication can be done just
>reading
>some headers.... if so, a simple function to check it would be enough.
>care to enlighten us about the digest authentication method?

Digest authentication uses simple challenge/response protocol.
Server side steps:
1. Does request's URI need authentication?
2. If need authentication and "Authorization" is not present - generate
challenge (respond with 401 and "WWW-Authenticate" header.)
3. If "Authorization" is present - check this header for validity.
4. Check access rights for giver request

So it may be implemented as generic pluggable Authentication/Authorization
interface with 4 methods:
- doesResourceNeedAuthentication
- generateChallange
- validateUserCredential-
doesThisUserHasAccessToThisResource

Proposed interface above may be split into two:
Authenthication:
- generateChallange
- validateUserCredential
Authorization:
- doesThisUserHasAccessToThisResource
- doesResourceNeedAuthentication ( say does Anonymous
HasAccessToThisResource )

Instance of Authenthication interface may implement Basic or Digest.

If one of Xavante developer will integrate such things within Xavante I am
ready to develop implementation of Digest Authentication component for
Xavante community.

Code from link below may be used as good example of building challenge and
validating response.

12.01.2005 PA wrote
>Here is an example implementation:
>http://dev.alt.textdrive.com/file/LW/LWDigestAuthentication.lua

12.01.2005 Diego Nehab wrote
>I think all you need is base64 encoding (LuaSocket gives that to you)
>and md5 (Roberto used to have a library for that). It's very similar to
>the basic.

I agree.

Regards,
Alex

Reply | Threaded
Open this post in threaded view
|

Re: Digest authentication for Xavante?

Javier Guerra Giraldez
On Thursday 12 January 2006 3:51 am, Alexander Altshuler wrote:
> If one of Xavante developer will integrate such things within Xavante I am
> ready to develop implementation of Digest Authentication component for
> Xavante community.

ok, now i get it a bit more.

this functionality could be done at least two ways:

1) a PHP-like way: a couple of functions to be called from a script (CGILua, a
handler, webCode, etc).  the script writer calls them and either grants or
refuses access

2) a middle handler: this handler gets a few parameters to manage
authentication (authorized users, a check funciton, a DB backend, whatever)
and another handler (as a parameter too).  it checks the authorizations, if
refused, generates the 401, if granted, calls the 'sub handler'


the first way is a bit easier, but the second one might be more flexible.  it
also points to the way of a deep hierarchy of handlers i'd like to eventually
have.

any opinions?

--
Javier

attachment0 (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Digest authentication for Xavante?

Alexander Altshuler
Hi

12.01.2005 Javier Guerra wrote
>this functionality could be done at least two ways:
>1) a PHP-like way: a couple of functions to be called from a script
>(CGILua, a
>handler, webCode, etc).  the script writer calls them and either grants or
>refuses access

As I understand this solution is only for Lua scripts.
So file handler will be out of scope.

>2) a middle handler: this handler gets a few parameters to manage
>authentication (authorized users, a check funciton, a DB backend, whatever)

>and another handler (as a parameter too).  it checks the authorizations, if

>refused, generates the 401, if granted, calls the 'sub handler'

>the first way is a bit easier, but the second one might be more flexible.
>it also points to the way of a deep hierarchy of handlers i'd like to
>eventually have.

I absolutely think it must be generic solution for all typed of handlers.
It is full standard feature of HTTP protocol.
Why not just integrate such stuff into Xavante core?

Alex

Reply | Threaded
Open this post in threaded view
|

Re: Digest authentication for Xavante?

Javier Guerra Giraldez
On Friday 13 January 2006 4:33 am, Alexander Altshuler wrote:
> >1) a PHP-like way: a couple of functions to be called from a script
> As I understand this solution is only for Lua scripts.
> So file handler will be out of scope.

in principle yes, but it would be trivially easy to write a second file
handler that cares about authentication.

> >2) a middle handler: this handler gets a few parameters to manage
> >authentication (authorized users, a check funciton, a DB backend,
> > whatever)
> I absolutely think it must be generic solution for all typed of handlers.
> It is full standard feature of HTTP protocol.
> Why not just integrate such stuff into Xavante core?

the core would be getting smaller and smaller in each release;this (and other)
feature would be added, but as optional modules.

feature-creep is one of the capital sins of development.  especially when
working with a dynamic language like Lua that lets you abstract optional
features so nicely


--
Javier

attachment0 (205 bytes) Download Attachment