Tokens identify users, not sessions since your services should be stateless anyway (each call to a service method should be independent and should not require a call to another method. Read about it here: http://searchsoa.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid26_gci826428,00.html). Sessions is your client's job. The token has an expiry date and lifetime may be different from user to user.
I use something like this, client side: # first get a token authToken = serviceProxy.getToken(user, password) # then use it with methods that require auth. helloWorld = serviceProxy.helloWorld(token = authToken) serviceProxy could be formatting json-rpc, xml-rpc, soap, whatever... also this would work no matter the transport. I do have an implementation of the server, however since it's not written in python I didn't post it here (my client is a web2py app and my server is a ZF app). I can send it to you but it's php, you tell me. What I implemented in Python is a client class (using json-rpc format since it's my prefered format): http://www.desfrenes.com/python-json-rpc . A possible server implementation in web2py could be something like this (replace the docstrings with appropriate logic): from gluon.tools import Service # create a server instance service = Service(globals()) @service.jsonrpc def getToken(user, password): """ here, perform authentication against whatever source you like (db, file, service, CAS, ldap...) generate a token, store it in cache or db with an expiry date and associated user id. You may generate the token with uuid and then encrypt it """ return 'xyz' # expose as json-rpc @service.jsonrpc def helloWorld(token, name): """ here, check validity of token (does it exist? is it expired?), if valid and corresponding user has right, then return result, else raise error. You may perform auth within a python decorator so you only have to add @tokenAuth before your function """ return 'hello ' + name # your service end point def call(): return service() Another way is to use http basic auth, but it was not my choice. You'll find tons of articles about it. On Jun 6, 10:20 am, Alexei Vinidiktov <alexei.vinidik...@gmail.com> wrote: > Thanks for your reply, desfrenes. > > Could you share how you generate your tokens? Do they expire or are > they permanent for each user? > > Do token identify sessions or users? > > Thanks. > > > > On Fri, Jun 5, 2009 at 6:01 PM, desfrenes<desfre...@gmail.com> wrote: > > > I use a token auth handle at the service level. It has disadvantages > > (need to check auth on each method, but should be easy with python > > decoratorsà but at least I can use the same services with no > > modification, whatever the message format (soap, json, xml, > > anything...) or the transport layer. > > > On Jun 5, 5:42 am, Alexei Vinidiktov <alexei.vinidik...@gmail.com> > > wrote: > >> Hello, > > >> I'm wondering what is the best approach to authenticating users from > >> within desktop apps or RIA apps written, for example, in Silverlight, > >> Flex, GWT, pyjamas that communicate with web2py backends via rpc > >> services. > > >> Thanks. > > >> -- > >> Alexei Vinidiktov > > -- > Alexei Vinidiktov --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
