Travis Griggs <travisgri...@gmail.com> writes: > ... > I found a example of how to add SSL to my python service > (https://gist.github.com/ubershmekel/6194556). If I can figure out how to get > the right keys embedded into my iPhone app (it's just on my phone, not anyone > else's), is that enough? Or should I include some sort of auth? If so, what > kind? And any pointers to how to start that would be much appreciated.
This is less a Python question. What kind of authentication you need heavily depends on which data your HTTP server publishes. You need no authentication at all, if anyone can see this data. There are many standards related to HTTP authentication. Using a standard has the advantage that common components (e.g. the browser) may have support for it. HTTP itself defines two authentication standards - both based an a simple "login/password" scheme: "basic" (very simple, but prone to replay and monitoring attacks) and "digest" (more secure but rarely used). There is also HTTPS (that is HTTP over SSL). This is HTTP over an encrypted communication channel. As the data transmitted is encrypted, monitoring and replay attacks get far more difficult. Used this way, HTTP basic authentication gets much more secure. HTTPS is typically also used for server identification (typical browsers warn you, if it does not trust the (HTTPS) server certificate or the host name inside the certificate does not correspond to the host you try to contact). However, HTTPS can also be used with client certificates; this usage may be an alternative to HTTP authentication. There are a lot of further standards related to authentication: e.g. "OpenId", "SAML2", "OpenAuth", ... > Some have blithely replied that I should be using Flask or Tornado. I get > that I'm going to hit a wall with HTTPServer and that it's more of a "toy" > implementation. This may be the part of your question which relates to Python; more precisely to "HTTPServer". I do not have an authoritative answer for you. I suppose (!; I am not sure) that "HTTPServer" will somehow support basic authentication and maybe HTTPS, however, it may not support it alone. For "basic" authentication, you need some kind of user "database" which records the known users with their passwords and maybe the services those users may use. By itself "HTTPS" does not provide (client) authentication; for client authentication, you need again some kind of user "database" to determine which clients (identified by the client certificate) you want to grant any and which services. This user "database" may be quite simple (maybe, it contains just "you") - but Python's "HTTPServer" cannot know - and does not provide this piece of infrastructure. You must extend Python's "HTTPServer" to provide it. Authentication support is a fundamental task for web frameworks. Therefore, they contain infrastructure to facilitate this task. This include "modules" for the implementation of the "user database" mentioned above. My personal recommendation: if this is the only web application you plan to implement, you may stick with "HTTPServer". However, if you can imagine that in the future you will implement further web applications, then look for a web framework. True, you will have to learn quite a bit - but you get components that facilitate typical tasks related to web applications (e.g. authentication). This initial learning effort may amortise when you plan to implement more web applications in the future. -- https://mail.python.org/mailman/listinfo/python-list
