2012/7/25 Amit <amit.khaw...@gmail.com>: > Michele, > > I have gone through the X509_Auth class and its methods : > > login_form > > login_url > get_user > > But not able to visualize how to use this class in my model/controller, I > just write below what I understood, please confirm > whether I understood correctly or not. > > > My requirement is : I have one web service method add() in controller > default.py , I just want to enable x509 authentication > so for that purpose i will use simpatica to generate keys and certificates > then in model class db.py I will use below code: > > > """ > Login using x509 cert from client. > > from gluon.contrib.login_methods.x509_auth import X509Account > auth.settings.actions_disabled=['register','change_password', > > 'request_reset_password','profile'] > auth.settings.login_form = X509Account() > > """ > > > and then in add method I will put @auth.requires_login() annotation . > > My doubt: > 1. how to configure certificate with Rocket and apache server? > 2. how to make call of web service method with private keys from the client? > > 3. I din't find X509Account class instead of that I found X509Auth class, so > is it the same, if yes then I need to create >
1 rocket: python web2py.py --ssl_certificate=<server pem encoded cert file> --ssl_private_key=<server pem encoded key file> --ca-cert=<CA certificate pem encoded file> apache see mod_ssl config: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html You can use a single file pem encoded containing: server cert, server key, CA cert. Pass it to all the options. 2 What is the client? With curl: curl --cert <client pem encoded cert + key file> ... With python: you can use pycurl or httplib (http://docs.python.org/library/httplib.html) see their docs. 3 You did the right thing using X509_Auth. The error in the comment is corrected in trunk. The interesting part that you may want to override in a child class is the get_user() method. Look how certificate properties are mapped to the auth.user record (the profile variable that). You may override those to fit your needs. mic > > auth.settings.login_form = X509Auth() instance ? > > > > Thanks, > Amit > > > > > > > > > > > > > > > > > On Wed, Jul 25, 2012 at 2:28 PM, Michele Comitini > <michele.comit...@gmail.com> wrote: >> >> ---- >> simpatica >> >> - generate ca priv key + self signed certificate >> - generate server priv keys + certificates signed by the above ca >> certificate >> - generate client priv keys + certificates signed by the above ca >> certificate >> >> The client and server certificate are generated after compilation of a >> form that requires the user to assign a password to protect the >> private key. >> The certificate + private keys are encoded in pkcs12 format >> downloadable to a browser or to be unpacked with openssl or similar >> tools after providing the above password. Remeber that if you loose >> the password you cannot open the pkcs12. There is a recovery >> mechanism in simpatica since the private keys are also encoded with a >> randomly generated secret that is crypted with the ca private key. >> It also send emails to email associated with the client informing that >> a certificate is ready to download. >> >> ----- >> Sample code >> >> Just look at gluon/contrib/login_methods/x509_auth.py. Look at the >> docstring in the X509_Auth class and put that code in your model to >> configure authentication with x509. >> >> Use the @auth.requires_login() annotation as you would with any action >> requiring authentication. It is explained in: >> >> http://web2py.com/books/default/chapter/29/10?search=rest#Access-Control >> >> >> mic >> >> >> 2012/7/25 Amit <amit.khaw...@gmail.com>: >> > sure Michele, let me go through the code,If i am not wrong simpatica is >> > to >> > generate the certificate file for the client and if you are having any >> > sample code to use x509 in case of web service then please do share with >> > me. >> > >> > Thanks, >> > Amit >> > >> > >> > On Wed, Jul 25, 2012 at 12:34 PM, Michele Comitini >> > <michele.comit...@gmail.com> wrote: >> >> >> >> Amit >> >> If you need advice with simpatica don't worry to ask. I never had time >> >> to >> >> write some documentation so you have to look at the code and/or ask... >> >> >> >> mic >> >> >> >> >> >> Il giorno mercoledì 25 luglio 2012 05:14:52 UTC+2, Amit ha scritto: >> >>> >> >>> Thanks Michele and Derek..nice post , i am looking exactly the same :) >> >>> >> >>> On Wed, Jul 25, 2012 at 4:09 AM, Michele Comitini >> >>> <michele.comit...@gmail.com> wrote: >> >>>> >> >>>> >> >>>> This is very similar to what TSL accomplishes with x509 certificates. >> >>>> There is a slight difference, the server does not own a public key >> >>>> for each >> >>>> client: it verifies that the client owns an x509 certificate signed >> >>>> by the >> >>>> correct certification authority. So no need to store public keys. in >> >>>> any >> >>>> case AFAIK in public/private key algorithms the private key always >> >>>> allows >> >>>> generation of the corresponding public key, not the contrary of >> >>>> course. >> >>>> >> >>>> To accomplish what you need in the simplest way you have to: >> >>>> >> >>>> - create a certification authority with self signed certificate >> >>>> - create certificate for you webserver signed with the private key of >> >>>> the certification authority above. >> >>>> - configure your webserver to require a client certificate (with >> >>>> rocket >> >>>> look at --ca-cert option) >> >>>> - In case you need to know some infos about the connecting client as >> >>>> reported in its certificate you can use x509_auth.py to use x509 >> >>>> authentication and configure your REST action with >> >>>> @auth.requires_login(). >> >>>> This will give you access to information contained in the >> >>>> certificate such >> >>>> common name or serial id. To customize you can extend the X509_Auth >> >>>> class. >> >>>> >> >>>> To generate test certificates fast you can use simpatica as Derek >> >>>> correctly suggests. >> >>>> >> >>>> mic >> >>>> >> >>>> Il giorno martedì 24 luglio 2012 10:33:48 UTC+2, Amit ha scritto: >> >>>>> >> >>>>> Hi, >> >>>>> I have to provide public/private key authentication for accessing >> >>>>> web >> >>>>> service (REST) from client in my web2py application.How to achieve >> >>>>> it? >> >>>>> >> >>>>> Scenario: >> >>>>> 1.Each client will have unique private key which will be sent to the >> >>>>> server alongwith request. >> >>>>> 2. Server has to authenticate private key using public key(unique >> >>>>> for >> >>>>> each client) and then allow to access the web service method. For >> >>>>> e.g. >> >>>>> suppose one client say X has requested for web service "add()" so >> >>>>> server has >> >>>>> to first validate the public key with client's private key and if >> >>>>> validation >> >>>>> is successful then allow to access the web service "add()". >> >>>>> >> >>>>> Challenges: >> >>>>> where to store public key of each client?we can't store it in the db >> >>>>> because server can't access db before validation of web service >> >>>>> method.So >> >>>>> will it be store somewhere in PC(where server is running)?if yes >> >>>>> then how >> >>>>> and which format? >> >>>>> >> >>>>> >> >>>>> NOTE: Here Server will be completely written in web2py and client is >> >>>>> separate application running on the hardware device. >> >>>>> >> >>>> -- >> >>>> >> >>>> >> >>>> >> >>> >> >>> >> >> -- >> >> >> >> >> >> >> > >> > >> > -- >> > >> > >> > >> >> -- >> >> >> > > -- > > > --
