CherryPy REST身份验证 [英] CherryPy REST Authentication
问题描述
我对Python和CherryPy还是很陌生,并试图构建一个基本的Web应用程序,该应用程序将使用RESTful API从服务器查询数据.我正在尝试从一开始就以正确的方式来做.我无法弄清楚的一部分是对API的身份验证,因为REST应该是无状态的,并且您不使用会话.
I am quite new to Python and CherryPy and trying to build a basic web application which will query data from the server with a RESTful API. I am trying to do it the right way from the start. One part I have not been able to figure out is authentication for the API as REST is supposed to be stateless, and you don't use sessions.
我希望能够将我的API与没有Cookie的本地客户端"一起使用,因此不能使用会话Cookie.数据将通过AJAX以HTML格式访问. OAuth似乎是一种选择,但是我不想依靠第三方来提供登录服务(Facebook几周前已经离线了将近一天)
I want to be able to use my API with "native clients" which does not have Cookies, so using session Cookies is not an option. The data will be accessed with AJAX in an HTML. OAuth seems like an option but I dont want to rely on a third party to provide the login service (Facebook was offline for almost a day a few weeks ago)
任何人都可以指出我的正确方向,这将适用于CherryPy?
Can anyone point me in the right direction, which would work with CherryPy?
推荐答案
没有RESTful身份验证的正确方法". REST本身并不是API的灵丹妙药.您需要对此进行权衡,并且需要权衡其利弊的解决方案.但是,我将直接介绍可在CherryPy上使用的HTTP标准方法.
There is no "the right way" for RESTful authentication. REST is not an API silver bullet per se. There are you requirements to it, and solutions with their pros and cons that you need to weigh. However, I'll tell about HTTP standard methods that will work on CherryPy out-of-the-box.
您在评论中链接的文章非常清楚地说明了以无状态方式进行身份验证的简单方法- HTTPS上的基本身份验证.还有摘要身份验证,它不会像这样传输密码并防止重放攻击,因此可以在纯HTTP上使用它.
The article you linked in your comment is pretty clear about the simple way to do authentication in stateless fashion -- Basic Auth on HTTPS. There's also Digest Auth, which the doesn't transfer password as such and prevents replay attacks, so it's fine to use it on plain HTTP.
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import cherrypy
userpassdict = {'user1': 'passwd'}
checkpassword = cherrypy.lib.auth_basic.checkpassword_dict(userpassdict)
get_ha1 = cherrypy.lib.auth_digest.get_ha1_dict_plain(userpassdict)
config = {
'global' : {
'server.socket_host' : '127.0.0.1',
'server.socket_port' : 8080,
'server.thread_pool' : 8
},
'/' : {
# HTTP verb dispatcher
'request.dispatch': cherrypy.dispatch.MethodDispatcher(),
# JSON response
'tools.json_out.on' : True,
# Basic Auth
'tools.auth_basic.on' : True,
'tools.auth_basic.realm' : 'Walled garden',
'tools.auth_basic.checkpassword' : checkpassword,
# Digest Auth
#'tools.auth_digest.on' : True,
#'tools.auth_digest.realm' : 'Walled garden',
#'tools.auth_digest.get_ha1' : get_ha1,
#'tools.auth_digest.key' : 'put random secret here',
}
}
class Document:
'''Test like:
curl --user user1:passwd --request GET http://localhost:8080/api/document
curl --user user1:passwd --request GET http://localhost:8080/api/document/2
curl --user user1:passwd --request POST --data name="new entry" http://localhost:8080/api/document
curl --user user1:passwd --request PUT --data name="new entry2" http://localhost:8080/api/document/4
curl --user user1:passwd --request DELETE http://localhost:8080/api/document/4
'''
_store = None
exposed = True
def __init__(self):
self._store = {
1 : {'id': 1, 'name': 'foo'},
2 : {'id': 2, 'name': 'bar'},
3 : {'id': 3, 'name': 'baz'},
4 : {'id': 4, 'name': 'qux'},
}
def GET(self, id = None):
if id:
return self._store[int(id)]
else:
return self._store.values()
def POST(self, **kwargs):
id = max(self._store.keys()) + 1
self._store[id] = {'id': id, 'name': kwargs['name']}
return id
def PUT(self, id, **kwargs):
self._store[int(id)].update(kwargs)
def DELETE(self, id):
self._store.pop(int(id))
if __name__ == '__main__':
cherrypy.quickstart(Document(), '/api/document', config)
这篇关于CherryPy REST身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
