I would like to implement my own user authentication methods for an
application built with CherryPy. To do this, I would like to know how
to run a method at the beginning of each request so that I can check
if the user has authenticated, and redirect otherwise. I am new to
CherryPy and have seen references to Filters & Hooks to do such
things, but I cannot find any good examples of how to do so. Please
help. Thanks.
Richard King wrote: > I would like to implement my own user authentication methods for an > application built with CherryPy. To do this, I would like to know how > to run a method at the beginning of each request so that I can check > if the user has authenticated, and redirect otherwise. I am new to > CherryPy and have seen references to Filters & Hooks to do such > things, but I cannot find any good examples of how to do so. Please > help. Thanks.
http://www.cherrypy.org/wiki/CustomTools covers it pretty well. To run something at the beginning of the request, use the 'on_start_resource' hook just like the 'print_path' example does. To do user authentication, you're probably going to be checking cherrypy.request.headers['WWW-Authenticate'] and maybe raise cherrypy.HTTPError(401) if they can't authenticate. See cherrypy.lib.auth for some helper functions. Of course, if you just want basic/digest auth, there are already builtin tools for that.
I had hacked together a simple login a while ago, id like to replace it with the library login that maybe more secure...Whats the best place to find the user authentication library and related docs? Thanks...
> Of course, if you just want >basic/digest auth, there are already builtin tools for that.
On 7/4/08, Robert Brewer <fuman...@aminus.org> wrote:
> Richard King wrote: > > I would like to implement my own user authentication methods for an > > application built with CherryPy. To do this, I would like to know how > > to run a method at the beginning of each request so that I can check > > if the user has authenticated, and redirect otherwise. I am new to > > CherryPy and have seen references to Filters & Hooks to do such > > things, but I cannot find any good examples of how to do so. Please > > help. Thanks.
> http://www.cherrypy.org/wiki/CustomTools covers it pretty well. To run > something at the beginning of the request, use the 'on_start_resource' > hook just like the 'print_path' example does. To do user authentication, > you're probably going to be checking > cherrypy.request.headers['WWW-Authenticate'] and maybe raise > cherrypy.HTTPError(401) if they can't authenticate. See > cherrypy.lib.auth for some helper functions. Of course, if you just want > basic/digest auth, there are already builtin tools for that.
Thank you for the quick response. The CustomTools reference was
exactly what I needed. One more question: what do I need to do to be
able to access the cherrypy.session variables from within my Custom
Tool?
On Jul 3, 6:11 pm, "Robert Brewer" <fuman...@aminus.org> wrote:
> Richard King wrote:
> > I would like to implement my own user authentication methods for an
> > application built with CherryPy. To do this, I would like to know how
> > to run a method at the beginning of each request so that I can check
> > if the user has authenticated, and redirect otherwise. I am new to
> > CherryPy and have seen references to Filters & Hooks to do such
> > things, but I cannot find any good examples of how to do so. Please
> > help. Thanks.
> http://www.cherrypy.org/wiki/CustomToolscovers it pretty well. To run
> something at the beginning of the request, use the 'on_start_resource'
> hook just like the 'print_path' example does. To do user authentication,
> you're probably going to be checking
> cherrypy.request.headers['WWW-Authenticate'] and maybe raise
> cherrypy.HTTPError(401) if they can't authenticate. See
> cherrypy.lib.auth for some helper functions. Of course, if you just want
> basic/digest auth, there are already builtin tools for that.
Thanks Robert. I appreciate the good reference and the quick
response. As I have developed web apps in the past, using other
languages, I have generally handled user authentication as follows:
1) Write code which executes before each request to see if the user
has logged in.
2) On each request, check to see if a "user_id" session variable
exists, and if not redirect to the login page.
3) Submitting the login pages will execute code that checks the
provided username/password with the database
4) If the credentials were valid, save the "user_id" session variable
and redirect to the requested page; otherwise redirect to the login
page.
Is there a way that I can accomplish this type of logic in CherryPy,
or is there a better way? It appears that in CherryPy I do not have
access to cherrypy.session from a 'on_start_resource' hook. Thank you
for your help.
-Richard
On Jul 3, 6:11 pm, "Robert Brewer" <fuman...@aminus.org> wrote:
> Richard King wrote:
> > I would like to implement my own user authentication methods for an
> > application built with CherryPy. To do this, I would like to know how
> > to run a method at the beginning of each request so that I can check
> > if the user has authenticated, and redirect otherwise. I am new to
> > CherryPy and have seen references to Filters & Hooks to do such
> > things, but I cannot find any good examples of how to do so. Please
> > help. Thanks.
> http://www.cherrypy.org/wiki/CustomToolscovers it pretty well. To run
> something at the beginning of the request, use the 'on_start_resource'
> hook just like the 'print_path' example does. To do user authentication,
> you're probably going to be checking
> cherrypy.request.headers['WWW-Authenticate'] and maybe raise
> cherrypy.HTTPError(401) if they can't authenticate. See
> cherrypy.lib.auth for some helper functions. Of course, if you just want
> basic/digest auth, there are already builtin tools for that.
Richard King wrote: > On Jul 3, 6:11 pm, "Robert Brewer" <fuman...@aminus.org> wrote: > > Richard King wrote: > > > I would like to implement my own user authentication methods for an > > > application built with CherryPy. To do this, I would like to know > > > how to run a method at the beginning of each request so that I can > > > check if the user has authenticated, and redirect otherwise. I am > > > new to CherryPy and have seen references to Filters & Hooks to do > > > such things, but I cannot find any good examples of how to do so.
> > http://www.cherrypy.org/wiki/CustomTools covers it pretty well. > > To run something at the beginning of the request, use the > > 'on_start_resource' hook just like the 'print_path' example > > does. To do user authentication, you're probably going to be > > checking cherrypy.request.headers['WWW-Authenticate'] and maybe > > raise cherrypy.HTTPError(401) if they can't authenticate. See > > cherrypy.lib.auth for some helper functions. Of course, if you > > just want basic/digest auth, there are already builtin tools for > > that.
> Thank you for the quick response. The CustomTools reference was > exactly what I needed. One more question: what do I need to do to be > able to access the cherrypy.session variables from within my Custom > Tool?
Sessions are implemented with hooks and tools too, so you just have to make sure your tool runs after session.init is called. Looks like that's before_request_body, priority=50 by default. It can't really be any earlier than that because it has to run after the request headers are read and parsed. So run your tool after that; either before_request_body, priority 75 or something, or before_handler.
You also need to lock the session while you read/write it. By default, that happens before_handler. If you set sessions.locking = 'early' it'll run before_request_body, priority=60. You can also set sessions.locking='explicit' and call cherrypy.serving.session.acquire_lock()/release_lock() on your own.
> I had hacked together a simple login a while ago, > id like to replace it with the library login that > maybe more secure...Whats the best place to find > the user authentication library and related docs?
