Thanks a lot for the information, desfrenes! It's just what I needed. I'm new to web programming (been developing desktop software for a while mostly in C++) and have to do many things for the first time.
Now I'm going to try and experiment with this stuff. I wish server-side token generation and handling would be implemented in web2py proper. BASIC authentication for services was added to web2py recently, but I'm at a loss as to how to actually use it. I asked a question about it in a different thread, but got no answer so far... Thanks again for your help. I really appreciate it! On Sat, Jun 6, 2009 at 5:46 PM, desfrenes<desfre...@gmail.com> wrote: > > Tokens identify users, not sessions since your services should be > stateless anyway (each call to a service method should be independent > and should not require a call to another method. Read about it here: > http://searchsoa.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid26_gci826428,00.html). > Sessions is your client's job. > The token has an expiry date and lifetime may be different from user > to user. > > I use something like this, client side: > > # first get a token > authToken = serviceProxy.getToken(user, password) > > # then use it with methods that require auth. > helloWorld = serviceProxy.helloWorld(token = authToken) > > serviceProxy could be formatting json-rpc, xml-rpc, soap, whatever... > also this would work no matter the transport. > > I do have an implementation of the server, however since it's not > written in python I didn't post it here (my client is a web2py app and > my server is a ZF app). I can send it to you but it's php, you tell > me. > What I implemented in Python is a client class (using json-rpc format > since it's my prefered format): http://www.desfrenes.com/python-json-rpc > . > > A possible server implementation in web2py could be something like > this (replace the docstrings with appropriate logic): > > from gluon.tools import Service > # create a server instance > service = Service(globals()) > > @service.jsonrpc > def getToken(user, password): > """ > here, perform authentication > against whatever source you like > (db, file, service, CAS, ldap...) > generate a token, store it in cache or > db with an expiry date and > associated user id. > You may generate the token with > uuid and then encrypt it > """ > return 'xyz' > > # expose as json-rpc > @service.jsonrpc > def helloWorld(token, name): > """ > here, check validity of token > (does it exist? is it expired?), > if valid and corresponding user has > right, then return result, > else raise error. > You may perform auth within a > python decorator so you only > have to add @tokenAuth before > your function > """ > return 'hello ' + name > > # your service end point > def call(): return service() > > Another way is to use http basic auth, but it was not my choice. > You'll find tons of articles about it. > > > On Jun 6, 10:20 am, Alexei Vinidiktov <alexei.vinidik...@gmail.com> > wrote: >> Thanks for your reply, desfrenes. >> >> Could you share how you generate your tokens? Do they expire or are >> they permanent for each user? >> >> Do token identify sessions or users? >> >> Thanks. >> >> >> >> On Fri, Jun 5, 2009 at 6:01 PM, desfrenes<desfre...@gmail.com> wrote: >> >> > I use a token auth handle at the service level. It has disadvantages >> > (need to check auth on each method, but should be easy with python >> > decoratorsà but at least I can use the same services with no >> > modification, whatever the message format (soap, json, xml, >> > anything...) or the transport layer. >> >> > On Jun 5, 5:42 am, Alexei Vinidiktov <alexei.vinidik...@gmail.com> >> > wrote: >> >> Hello, >> >> >> I'm wondering what is the best approach to authenticating users from >> >> within desktop apps or RIA apps written, for example, in Silverlight, >> >> Flex, GWT, pyjamas that communicate with web2py backends via rpc >> >> services. >> >> >> Thanks. >> >> >> -- >> >> Alexei Vinidiktov >> >> -- >> Alexei Vinidiktov > > > -- Alexei Vinidiktov --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
