multiauth
A flexible authentication and access-control library for CherryPy web applications. Includes LDAP authentication provider.
Created: 2006-02-13 |
Updated: 2007-07-24 |
Status: Abandoned |
Tags: cherrypy python library
MultiAuth 0.6 (formerly CherryAuth)
Authentication and Access Control for CherryPy Applications
By Christian Wyglendowski
September 12, 2005
INTRODUCTION:
MultiAuth provides authentication for CherryPy web objects. LDAP authentication (Active Directory, specifically) and a simple dictionary provider are the only implemented providers in this release.
DEPENDENCIES:
Python 2.3 (2.4 reccommended)
OPTIONAL:
python-ldap http://python-ldap.sourceforge.net/
INSTALLATION:
At the command prompt, run "python setup.py install". This will install MultiAuth.
MODULES:
Two modules are included in this package; multiauth.auth and multiauth.providers.
Module multiauth.providers contains the code that handles actual authentication.
It currently handles LDAP authentication and group checking, which depends on the python-ldap package. For secure operation, you will want to run over LDAP-SSL. I did not design it for use with SASL, as the python-ldap build I am using does not support it. You will need to get an SSL CA certificate from your certificate provider to run in SSL mode. Currently it provides support for authenticating against Active Directory using the class ADAuthProvider. I hope to add more authentication providers as this project progresses.
There is also a simple dictionary authentication provider (DictAuthProvider). It is a nice class to use for testing and to see how a simple provider is built, but beyond that it is insecure and has little use.
Module multiauth.auth uses multiauth.providers to do the authentication heavy lifting. It provides a metaclass, class and decorators to wrap specific parts of your CherryPy site with authentication.
DOCUMENTATION:
Other than this README, see the included pydoc-generated HTML documentation for multiauth.providers and multiauth.auth.
EXAMPLES:
The included adauthdemo.py example demonstrates setting up a simple do-nothing object and server that authenticates against Active Directory. You will have to tweak the connection settings and object permissions for your environment.
NOTICE:
MultiAuth is a work in progress and may experience significant changes while it is a pre-1.0 release. New versions may not be backwards compatible.
TODO:
- Convert to a CherryPy filter.
- Add support for multiple authentication front ends (forms, browser-based, etc).
LICENSE:
MIT - see copyright.txt in the distribution.
See also: MultiAuth page on CherryPy wiki
New Proof-of-Concept Filterized MultiAuth (version 0.8)
Files:
providers.py
[colorized]
MultiAuth-0.6.zip
MultiAuth-0.8.zip
Comments:
Nicolas Évrard
2005-11-21
Hello,
I've noticed your work on multiauth and it seems to go in the same direction as my own work (not published yet). I also use an AuthenticationService and I use a Metaclass to protect pages according to their roles.
Maybe we can share some code or ideas.
bgarde
2006-01-18
Hi,
Nice job it works fine on my cherrypy website
What about a logout functionality ?
Thanks for your work
Regards
Christian
2006-01-26
You should be able to create a logout method that deletes the user from the session. I think I might have an example of it included in the MutiAuth distribution.
wezzy
2006-03-08
Hi i've tried MultiAuth 0.8 on cherrypy 2.2 (SVN) and got 2 warning easy to fix, just change from cherrypy.lib.filter.basefilter to cherrypy.filters.basefilter according to cherrypy docs (http://www.cherrypy.org/wiki/Filters22). I've got also an error while the code try to import an object called iterable in auth.py:6, i've removed this line and everything works right.
rshea
2006-05-04
Hi Mr Dowski - I'm grateful to you for having written MultiAuth. I'm starting to use release 0.6 on Python 2.4, CP 2.1.
I've got a question about setting the roles dynamically which I've posted to the cherry-py users news group but if you were able to answer it directly that would be great. Here's the posting.
Hi - I'm hoping to use MultiAuth (http://www.cherrypy.org/wiki/MultiAuth) but have come across something I cannot figure out how to work around.
I want to extract the roles relevant for a given class/method from the database . This is no problem but it seems to me that it's impossible to assign these at run time (bear in mind I need method level granularity not just class protection).
Now bear in mind I do not consider myself a Python guru but this is how I come to that conclusion.
There are three methods of protecting a class and/or method.
1. Metaclasses - the setup of which roles are allowed access is done at class level and so (as far as I understand) is not able to driven by the database.
class SubSite:
"Example metaclasss protection"
__metaclass__ = auth.protected
roles = ['admins']
def index(self):
return "here is the admin only subsite"
index.exposed = True
2. Decorators - again the setup of the decorators is done at class level and so not able to be driven by the database ?
class AnotherSubSite:
"Sample multi-level security with decorators"
def index(self):
return """
Protected method
Open method
"""
index.exposed = True
# for 2.4 use: @auth.secure(['whatever'])
def protected(self):
return "you have accessed the protected page"
# decorate the method in a 2.3 friendly way
protected = auth.secure(['supersecret'])(protected)
protected.exposed = True
def open(self):
return "this is the open page"
open.exposed = True
3. Superclasses - is restricted to class level control and I need class/method granularity
So - is there anyone out there who used MultiAuth in the way or who maybe just understands enough about Python that they can explain how to get around this ?
Thanks
Richard.
rshea
2006-05-04
Sorry all the nice formatting got completely chewed there. The question may be viewed in a formatted form at ...
http://tinyurl.com/gucyf
dovf
2006-07-13
Hi!
Thanks for this library, I've found it very useful! I've added some additional functionality which I needed, and which others may find useful. Specifically: logout capabilities, preservation of request parameters through the login process, easy access to the username and roles of the authenticated user.
http://dovf.yourfreewebspace.com/MultiAuth/multiauth.html
Add Comment:
Commenting disabled because of spam problem...
