ok, I took a look into tools.py to get some more clear ideas.....it
turns out that is a bit difficult to clean out the magic from Auth()
I did a little mess up here (tends to be really confusing), and
actually:
from gluon.contrib.login_methods.basic_auth import basic_auth
and
auth.settings.login_methods = [basic_auth()]
are needed if we're going to authenticate against an "external" server
with basic authentication (i.e. you have a list of users on
apache's .htaccess and you have to allow access to web2py using that
infos and not the one stored in auth tables)
So, in order to let web2py use basic authentication with the data
stored in its auth tables, all we need is:
auth.settings.allow_basic_login = True
more on, now, I don't understand if the following is needed/useful:
auth.settings.actions_disabled = [
'login',
'logout',
'register',
'verify_email',
'retrieve_username',
'retrieve_password',
'reset_password',
'request_reset_password',
'change_password',
'profile',
'groups',
'impersonate',
]
and finally:
def unauth():
head = 'Basic realm="%s"' % (request.application)
raise HTTP(401,['Unauthorized'])
So, I discovered that raise HTTP(401,'hello') return the cruft in
order to trick IE (is this needed still?), but if you put status as a
list it will return only 'hello' (nice catch) but....
1) I'd need to set this function as the default "event" of not being
authorized
(eventually controlling that authorization header is not there and
adding the www-Authenticate header)...
it would be as easy as putting WWW-Authenticate=head as argument to
HTTP), but it turns out that is reaaally difficult to put one in there
(python dict limitation??)....can anyone point me in the right
direction ?
2) I saw what auth.settings.allow_basic_login = True does (and
auth.basic()) and it "allows" the basic authentication in addition to
the default auth (also with disabled actions). Maybe the default auth
can be shut down totally?
Thanks a lot
