ok, I took a look into tools.py to get some more clear ideas.....
I did a little mess up here (tends to be really confusing), and
actually:
from gluon.contrib.login_methods.basic_auth import basic_auth
and
auth.settings.login_methods = [basic_auth()]
are needed if we're going to authenticate against an "external" server
with basic authentication (i.e. you have a list of users on
apache's .htaccess and you have to allow access to web2py using that
infos and not the one stored in auth tables)
So, in order to let web2py use basic authentication with the data
stored in its auth tables, all we need is:
auth.settings.allow_basic_login = True
more on, now, I don't understand if the following is needed/useful:
auth.settings.actions_disabled = [
'login',
'logout',
'register',
'verify_email',
'retrieve_username',
'retrieve_password',
'reset_password',
'request_reset_password',
'change_password',
'profile',
'groups',
'impersonate',
]
and finally:
def unauth():
session.forget()
head = 'Basic realm="%s"' % (request.application)
raise HTTP(401,['Unauthorized'])
auth.settings.on_failed_authorization = unauth()
So, I discovered that raise HTTP(401,'hello') return the cruft in
order to trick IE (is this needed still?), but if you put status as a
list it will return only 'hello' (nice catch) but....
I need to send along with this also the www-authenticate header (it
would be as easy as putting WWW-Authenticate=head as argument to
HTTP), but it turns out that is reaaally difficult to put one in there
(python dict limitation??)....can anyone point me in the right
direction ?
Thanks a lot
