Michele,
I have gone through the *X509_Auth *class and its methods :
login_form
login_url
get_user
But not able to visualize how to use this class in my
model/controller, I just write below what I understood, please confirm
whether I understood correctly or not.
My requirement is : I have one web service method add() in controller
default.py , I just want to enable x509 authentication
so for that purpose i will use simpatica to generate keys and
certificates then in model class db.py I will use below code:
"""
Login using x509 cert from client.
from gluon.contrib.login_methods.x509_auth import X509Account
auth.settings.actions_disabled=['register','change_password',
'request_reset_password','profile']
auth.settings.login_form = X509Account()
"""
and then in add method I will put @auth.requires_login() annotation .
My doubt:
1. how to configure certificate with Rocket and apache server?
2. how to make call of web service method with private keys from the client?
3. I din't find X509Account class instead of that I found X509Auth
class, so is it the same, if yes then I need to create
auth.settings.login_form = X509Auth() instance ?
Thanks,
Amit
On Wed, Jul 25, 2012 at 2:28 PM, Michele Comitini <
michele.comit...@gmail.com> wrote:
> ----
> simpatica
>
> - generate ca priv key + self signed certificate
> - generate server priv keys + certificates signed by the above ca
> certificate
> - generate client priv keys + certificates signed by the above ca
> certificate
>
> The client and server certificate are generated after compilation of a
> form that requires the user to assign a password to protect the
> private key.
> The certificate + private keys are encoded in pkcs12 format
> downloadable to a browser or to be unpacked with openssl or similar
> tools after providing the above password. Remeber that if you loose
> the password you cannot open the pkcs12. There is a recovery
> mechanism in simpatica since the private keys are also encoded with a
> randomly generated secret that is crypted with the ca private key.
> It also send emails to email associated with the client informing that
> a certificate is ready to download.
>
> -----
> Sample code
>
> Just look at gluon/contrib/login_methods/x509_auth.py. Look at the
> docstring in the X509_Auth class and put that code in your model to
> configure authentication with x509.
>
> Use the @auth.requires_login() annotation as you would with any action
> requiring authentication. It is explained in:
>
> http://web2py.com/books/default/chapter/29/10?search=rest#Access-Control
>
>
> mic
>
>
> 2012/7/25 Amit <amit.khaw...@gmail.com>:
> > sure Michele, let me go through the code,If i am not wrong simpatica is
> to
> > generate the certificate file for the client and if you are having any
> > sample code to use x509 in case of web service then please do share with
> me.
> >
> > Thanks,
> > Amit
> >
> >
> > On Wed, Jul 25, 2012 at 12:34 PM, Michele Comitini
> > <michele.comit...@gmail.com> wrote:
> >>
> >> Amit
> >> If you need advice with simpatica don't worry to ask. I never had time
> to
> >> write some documentation so you have to look at the code and/or ask...
> >>
> >> mic
> >>
> >>
> >> Il giorno mercoledì 25 luglio 2012 05:14:52 UTC+2, Amit ha scritto:
> >>>
> >>> Thanks Michele and Derek..nice post , i am looking exactly the same :)
> >>>
> >>> On Wed, Jul 25, 2012 at 4:09 AM, Michele Comitini
> >>> <michele.comit...@gmail.com> wrote:
> >>>>
> >>>>
> >>>> This is very similar to what TSL accomplishes with x509 certificates.
> >>>> There is a slight difference, the server does not own a public key
> for each
> >>>> client: it verifies that the client owns an x509 certificate signed
> by the
> >>>> correct certification authority. So no need to store public keys. in
> any
> >>>> case AFAIK in public/private key algorithms the private key always
> allows
> >>>> generation of the corresponding public key, not the contrary of
> course.
> >>>>
> >>>> To accomplish what you need in the simplest way you have to:
> >>>>
> >>>> - create a certification authority with self signed certificate
> >>>> - create certificate for you webserver signed with the private key of
> >>>> the certification authority above.
> >>>> - configure your webserver to require a client certificate (with
> rocket
> >>>> look at --ca-cert option)
> >>>> - In case you need to know some infos about the connecting client as
> >>>> reported in its certificate you can use x509_auth.py to use x509
> >>>> authentication and configure your REST action with
> @auth.requires_login().
> >>>> This will give you access to information contained in the
> certificate such
> >>>> common name or serial id. To customize you can extend the X509_Auth
> class.
> >>>>
> >>>> To generate test certificates fast you can use simpatica as Derek
> >>>> correctly suggests.
> >>>>
> >>>> mic
> >>>>
> >>>> Il giorno martedì 24 luglio 2012 10:33:48 UTC+2, Amit ha scritto:
> >>>>>
> >>>>> Hi,
> >>>>> I have to provide public/private key authentication for accessing web
> >>>>> service (REST) from client in my web2py application.How to achieve
> it?
> >>>>>
> >>>>> Scenario:
> >>>>> 1.Each client will have unique private key which will be sent to the
> >>>>> server alongwith request.
> >>>>> 2. Server has to authenticate private key using public key(unique for
> >>>>> each client) and then allow to access the web service method. For
> e.g.
> >>>>> suppose one client say X has requested for web service "add()" so
> server has
> >>>>> to first validate the public key with client's private key and if
> validation
> >>>>> is successful then allow to access the web service "add()".
> >>>>>
> >>>>> Challenges:
> >>>>> where to store public key of each client?we can't store it in the db
> >>>>> because server can't access db before validation of web service
> method.So
> >>>>> will it be store somewhere in PC(where server is running)?if yes
> then how
> >>>>> and which format?
> >>>>>
> >>>>>
> >>>>> NOTE: Here Server will be completely written in web2py and client is
> >>>>> separate application running on the hardware device.
> >>>>>
> >>>> --
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >> --
> >>
> >>
> >>
> >
> >
> > --
> >
> >
> >
>
> --
>
>
>
>
--
