On Wednesday, March 11, 2015 at 6:50:28 AM UTC-7, mcm wrote: > > If you do not have the email you can use the registration_id and username > fields. > Most details are on the book: > http://web2py.com/books/default/chapter/29/09/access-control >
Would it be appropriate to add some of the comments above into the deployment recipe chapter (#13 , <URL:http://www.web2py.com/books/default/chapter/29/13/deployment-recipes#Apache-setup> since the X509 section in your link ends with In particular you need to tell your web server where the certificates are located on local host and that it needs to verify certificates coming from the clients. How to do it is web server dependent and therefore omitted here. /dps > 2015-03-11 14:08 GMT+01:00 Michele Comitini <michele....@gmail.com > <javascript:>>: > >> You can read any of the fields a certificate contains eventually. >> see here for some ideas: https://code.google.com/p/simpatica/ >> >> It's a working PKI that allows to generate csr and sign them with a valid >> signin certificate >> >> 2015-03-11 13:48 GMT+01:00 LoveWeb2py <atayl...@gmail.com <javascript:>>: >> >>> Once authentication happens how can I make them members of groups. I >>> notice now they don't have an entry in Auth user. Should I have them >>> register first and once they're reigstered they can use PKI authentication? >>> This is uncharted waters for me so I'm trying to figure out the best >>> approach for it. >>> >>> On Wednesday, March 11, 2015 at 8:05:48 AM UTC-4, mcm wrote: >>>> >>>> I am glad someone is using x509 Auth, it is a very simple way to handle >>>> user security, >>>> >>>> One important piece of the puzzle (with apache) is: >>>> >>>> SSLVerifyClient optional >>>> >>>> The optional allows one to accept any user on the website, while >>>> having some web2py actions require a valid user certificate >>>> just by adding the standard @auth.requires_login() >>>> >>>> ## Client Authentication (Type): >>>> # Client certificate verification type and depth. Types are >>>> none, optional, >>>> # require and optional_no_ca. Depth is a number which specifies >>>> how deeply >>>> # to verify the certificate issuer chain before deciding the >>>> certificate is >>>> # not valid. >>>> #SSLVerifyClient require >>>> #SSLVerifyDepth 10 >>>> >>>> >>>> 2015-03-11 12:27 GMT+01:00 LoveWeb2py <atayl...@gmail.com>: >>>> >>>>> Those are exactly the two I don't have so far from the list I saw in >>>>> another post I have: >>>>> >>>>> SSL_CIPHER, SSL_CLIENT_I_DN, SSL_CLIENT_CERT, SSL_CLIENT_VERIFY >>>>> >>>>> The following are not being passed (probably a problem with my >>>>> ssl.conf: >>>>> SSL_CLIENT_RAW_CERT, SSL_SESSION_ID, SSL_CLIENT_SERIAL >>>>> >>>>> Almost there! :) I'll post the fix when I find it >>>>> >>>>> >>>>> On Tuesday, March 10, 2015 at 7:56:45 PM UTC-4, Niphlod wrote: >>>>>> >>>>>> debug it, debug it, debug it. >>>>>> >>>>>> AFAICS, x509_auth.py requires: >>>>>> >>>>>> ssl_client_raw_cert >>>>>> optional ssl_client_serial >>>>>> >>>>>> On Wednesday, March 11, 2015 at 12:04:51 AM UTC+1, LoveWeb2py wrote: >>>>>>> >>>>>>> so I did {{=request.env}} and I can see the SSL DATA certificate in >>>>>>> another app, but for some reason the app that requires the data isn't >>>>>>> being >>>>>>> passed. Going to keep troubleshooting that app because I really want to >>>>>>> use >>>>>>> the x509 authentication with web2py!! >>>>>>> >>>>>>> for some reason the x509 auth isn't working still. Going to keep >>>>>>> pressing and will post a fix when I find it. Thank you so much for your >>>>>>> help Niphlod. I hope this helps others in the future! >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tuesday, March 10, 2015 at 6:40:29 PM UTC-4, Niphlod wrote: >>>>>>>> >>>>>>>> what if you return somewhere this dict (takes the "SSL*" env >>>>>>>> variables and prints it) >>>>>>>> >>>>>>>> def yourcode(): >>>>>>>> ......... >>>>>>>> debug_values = {} >>>>>>>> for k, v in request.env.iteritems(): >>>>>>>> if k.lower().startswith('ssl'): >>>>>>>> debug_values[k] = v >>>>>>>> ......... >>>>>>>> return dict(........., debug_values=debug_values) >>>>>>>> >>>>>>>> just to see if those gets indeed passed along. >>>>>>>> >>>>>>>> -- >>>>> Resources: >>>>> - http://web2py.com >>>>> - http://web2py.com/book (Documentation) >>>>> - http://github.com/web2py/web2py (Source code) >>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "web2py-users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to web2py+un...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "web2py-users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to web2py+un...@googlegroups.com <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
