tags:

views:

523

answers:

3
+3  Q: 

Python/WebApp Google App Engine - testing for user/pass in the headers

When you call a web service like this:

   username = 'test12'
   password = 'test34' 
   client = httplib2.Http(".cache") 
   client.add_credentials(username,password)
   URL = "http://localhost:8080/wyWebServiceTest"
   response, content = client.request(URL)

How do you get the username/password into variables on the server side (i.e. in the web-service that I'm writing). I checked the self.request.headers and self.request.environ and couldn't find them.

(I'm not using Google Login, need to bounce this userid/pass against my own database to verify security.)

I was trying to ideas from this page: http://pythonpaste.org/webob/reference.html#headers

Thanks,

Neal Walters

Slight enhancement to Peter's code below: 

 auth = None 
 if 'Authorization' in self.request.headers: 
    auth = self.request.headers['Authorization']
 if not auth:
+1  A: 

httplib2 will only pass the credentials after a 401 response from the web server, after which the credentials should be sent in an Authorization: header.

Wooble  2009-09-30 19:01:08
I'm confused. So you are saying first call is no credentials, then server returns 401, then client automatically sends user/pass? But anyway - the user/pass is available to the web-service right? The code fragment above is a non-GAE program running on my machine that calls a GAE web-service. It's in the web-service I want to check the user/pass. (Good to see your pic - I see you Google-Group all the time).
NealWalters  2009-09-30 19:34:48
Got it now after the other answers. Thanks.
NealWalters  2009-09-30 21:03:46
+2  A: 

The credentials will appear in the Authorization header. The steps work like this:

  1. Client makes a request to your app with no attempt at authorization
  2. Server responds with a "401 Authorization Required" response, and the "WWW-Authenticate" header set to 'Basic realm="something"' (for basic auth).
  3. Client responds with an Authorization header set appropriately (see below).

The exact content of the client's Authorization header in step 3 depends on the authorization method used. For HTTP Basic auth, it's the base64-encoded user credentials - see here. For HTTP digest auth, both the server's header and the response from the client are a bit more complicated - see here.

Nick Johnson  2009-09-30 20:04:28
Thanks for the response and especially the link that explains the encoding.
NealWalters  2009-09-30 21:03:09
Great idea on the decorator - but it's over my head without stopping to spend a day on it. Here's my crude attempt: http://stackoverflow.com/questions/1500982/python-decorator-for-gae-web-service-security-check
NealWalters  2009-09-30 22:32:30
+2  A: 

I haven't tested this code (insert smiley) but I think this is the sort of thing you need. Basically your credentials won't be in the header if your server hasn't bounced a 401 back to your client (the client needs to know the realm to know what credentials to provide).

class MYREALM_securepage(webapp.RequestHandler):
  def get(self):
      if not 'Authorization' in self.request.headers:
          self.response.headers['WWW-Authenticate'] = 'Basic realm="MYREALM"'
          self.response.set_status(401)
          self.response.out.write("Authorization required")
      else:
          auth = self.request.headers['Authorization']
          (username, password) = base64.b64decode(auth.split(' ')[1]).split(':')
          # Check the username and password, and proceed ...
Peter S Magnusson  2009-09-30 20:36:30
Exactly what the doctor ordered! Thanks!!! I added "import base64" and made one minor change - see edit of my original post.
NealWalters  2009-09-30 20:58:06
One nitpick: This would be better as a decorator. :)
Nick Johnson  2009-09-30 21:18:19
it should totally be done as a decorator. i just wanted to show the core code.
Peter S Magnusson  2009-10-01 19:41:11

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python