Comments (13)
From [email protected] on July 06, 2012 06:51:29
Looking into this... http://en.wikipedia.org/wiki/Digest_access_authentication Not sure what "entityBody" is.
from web2py.
From [email protected] on July 06, 2012 07:20:14
I'm trying to implement this on my client also.
Here are some resources that might help:
- Chromium tests for auth.
- A sample c++ code https://code.google.com/p/chromium/source/search?q=username+nonce&origq=username+nonce&btnG=Search+Trunk https://code.google.com/searchframe#L7BRNLZzKBo/trunk/live555/live/liveMedia/RTSPServer.cpp&ct=rc&cd=19&q=Digest%20access%20authentication%20lang:%5Ec%2B%2B$&sq=
from web2py.
From [email protected] on July 09, 2012 02:27:50
Looks like urllib2 has support for digest auth:
E.g. Used in the mercurial-api: http://danchr.bitbucket.org/mercurial-api/mercurial.url-pysrc.html#httpdigestauthhandler
from web2py.
From [email protected] on July 09, 2012 19:43:22
I can find the API to generate the digest credentials, not to validate them.
from web2py.
From [email protected] on July 11, 2012 00:20:06
Maybe this will be of help? - https://bitbucket.org/btimby/python-digest
from web2py.
From [email protected] on July 16, 2012 13:51:46
also here http://svn.cherrypy.org/trunk/cherrypy/lib/auth_digest.py
from web2py.
From [email protected] on August 07, 2012 20:07:02
Labels: -Type-Defect Type-Enhancement
from web2py.
IMHO there's a clash on what is required and how we handle auth.
One of the hard requirements for supporting the digest auth is to be able to reconstruct the original password in "cleartext".
If we stored those using md5 as we used to a long time ago, it would still be possible in some corner-cases, but I don't see how can we integrate HTTP digest with our current hashing scheme.
@mdipierro , @michele-comitini , @abastardi : opinions ?
from web2py.
I agree, really chaotic.
Impossible to apply to web2py, given an already existing set of
username/hashed-password. One would require the client to do the same hash
before starting the challenge or as you say, have the cleartext password.
Moreover IMHO it does not add any security to Basic Auth + TLS
https://tools.ietf.org/html/rfc2617#section-4.13
https://tools.ietf.org/html/rfc2617#section-4.14
2015-03-02 22:33 GMT+01:00 niphlod [email protected]:
IMHO there's a clash on what is required and how we handle auth.
One of the hard requirements for supporting the digest auth is to be able
to reconstruct the original password in "cleartext".
If we stored those using md5 as we used to a long time ago, it would still
be possible in some corner-cases, but I don't see how can we integrate HTTP
digest with our current hashing scheme.@mdipierro https://github.com/mdipierro , @michele-comitini
https://github.com/michele-comitini , @abastardi
https://github.com/abastardi : opinions ?—
Reply to this email directly or view it on GitHub
#621 (comment).
from web2py.
made little sense in 2012, but in 2015 I agree, there are FAR better alternatives for API authentication.
I'm a fan of Basic over HTTPS but hey, maybe it's just me.
from web2py.
@mdipierro : as always, you're the one who can rule definitely if this issue is still valid or has to be closed.
from web2py.
@mdipierro : this can be closed if you agree with @michele-comitini and me
from web2py.
closing after 2 months of lack of replies by @mdipierro .
from web2py.
Related Issues (20)
- Issues with emails using Microsoft 365 mail server HOT 1
- fpdf code update HOT 2
- Upload Field Type results in broken download link in web2py 2.22.3 on nginx/uwsgi/ubuntu HOT 1
- admin does not pass sorting parameters to next page
- pydal do not support mongodb 4.4+
- Web2py from website or from git does not find dal HOT 8
- Where should I report security vulnerabilities?
- Security.md does not provide how to report a security vulnerability HOT 1
- PAM authorization bypass due to incorrect usage
- UF-8 error HOT 1
- Admin application fails on Python 3.10 in version 2.23.0 HOT 2
- SSLv3 unknown certificate
- web2py 2.23.0 is giving a 403 error when I try to package my applications
- SECURITY: JQuery 1.2 < 3.5.0 Multiple XSS
- Scheduler does not exit on OperationalError HOT 9
- Lack of checking if the supplied value is numerical in SQLFORM.grid search function HOT 2
- scheduler.py AttributeError: '_thread._local' object has no attribute '_scheduler'
- SECURITY: Vulnerable to HTTP Response Splitting
- Error when searching with SQLFORM.grid with order field selected HOT 1
- Add to book recipie? - How to host web2py with python3 on cpanel server
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from web2py.