The effective_principals function could be what I was looking for. I'll take a look on it and go deeper on the AuthTktCookieHelper, thank you!
Le samedi 4 juillet 2015 16:13:09 UTC+2, Paul Everitt a écrit : > > > In Pyramid authentication, once you assign the cookie, subsequent requests > have the following work to do: > > - Read the cookie, decode it, and extract the user id > > - The groupfinder callback then looks up in a database or something to get > the principals associated with that user id > > You can fake the groupfinder function and just return from an in-memory > set of users and groups. The tutorial link below does that. But you still > need an authentication policy which will extract and return a user id from > the cookie. > > Here is an example of a custom authentication policy: > > http://pyramid-cookbook.readthedocs.org/en/latest/auth/custom.html > > It uses a helper for managing the cookie: > > > http://docs.pylonsproject.org/projects/pyramid/en/latest/_modules/pyramid/authentication.html#AuthTktCookieHelper > > <http://www.google.com/url?q=http%3A%2F%2Fdocs.pylonsproject.org%2Fprojects%2Fpyramid%2Fen%2Flatest%2F_modules%2Fpyramid%2Fauthentication.html%23AuthTktCookieHelper&sa=D&sntz=1&usg=AFQjCNEmjQfm4YttnZOJeznDp_8upV_Seg> > > My guess is, you’ll have to take ownership of a replacement cookie helper. > > —Paul > > On Jul 4, 2015, at 10:03 AM, Matheo <[email protected] > <javascript:>> wrote: > > I actualy only check the signature of the named JWTcookie and if I can > decode it, then alows the user to continue or not. > > But I'm not sure it's a good behavior, there isn't actualy any match-test > with the server. The userid shouldn't be stored somewhere on the server > side in order to make a match? If yes, where should I store it? I really > don't find reading pyramid's code. (and I'm new to security) > > Thank you! > > I will certainly paste the code once cleaned. > > > > Le jeudi 2 juillet 2015 16:32:35 UTC+2, Paul Everitt a écrit : >> >> >> Is your JWTAuthTktCookieHelper successful in setting >> request.authenticated_userid? >> >> Pyramid keeps a pretty nice separate between authentication, permissions, >> and ACLs. I suggest you use this to your advantage. First, make sure that >> your authentication works and ignore authorization. Here’s the step in the >> Pyramid quick tutorial that does authentication without worrying about >> authorization (or databases): >> >> >> http://docs.pylonsproject.org/projects/pyramid//en/latest/quick_tutorial/authentication.html >> >> If you can get that tutorial step working with your JWT-in-cookies >> (meaning, after login, you can print request.authenticated_userid), *then* >> worry about authorization and databases. >> >> —Paul >> >> On Jul 2, 2015, at 9:33 AM, Matheo <[email protected]> >> wrote: >> >> Hello, >> >> I don't understand verry well how authentication/authorization works with >> pyramid. I mean, how the server remembers if the user can access or not to >> a classic root like that for instance : >> >> @view_config( >> route_name='core/currentUser', >> renderer='json' >> ) >> >> #default permissions already setted to read : >> config.set_default_permission('read') >> >> >> And after the user has already passed the login check function : >> >> @view_config( >> route_name=route_prefix+'login', >> permission=NO_PERMISSION_REQUIRED, >> request_method='POST') >> def login(request): >> user_id = request.POST.get('user_id', '') >> pwd = request.POST.get('password', '') >> user = DBSession.query(User).filter(User.id==user_id).one() >> if user is not None and user.check_password(pwd): >> headers = remember(request, user_id) >> response = request.response >> response.headerlist.extend(headers) >> transaction.commit() >> return response >> else: >> transaction.commit() >> return HTTPUnauthorized() >> >> >> Acutally I want to overwrite the authentication system in order to use a >> Json Web Token cookie. >> This post presents what I want to do : >> https://github.com/ajkavanagh/pyramid_jwtauth/issues/9 (mine) >> I started among other stuff to write a JWTAuthTktCookieHelper class in >> order to keep more or less the AuthTktAuthenticationPolicy behaviors >> (remember function) but with a JWT cookie and through the >> JWTAuthenticationPolicy >> <https://github.com/ajkavanagh/pyramid_jwtauth/blob/master/pyramid_jwtauth/__init__.py> >> (optional, >> I can extend AuthTktAuthenticationPolicy). I'm not sure it's enought, I >> don't see how the permissions are keeped server side, is it via a session? >> >> Hopping to be clear. >> Thank you! >> >> (be back on saturday) >> >> -- >> You received this message because you are subscribed to the Google Groups >> "pylons-discuss" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/pylons-discuss. >> For more options, visit https://groups.google.com/d/optout. >> >> >> > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] > <javascript:>. > Visit this group at http://groups.google.com/group/pylons-discuss. > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
