Thanks Michele,I am going to generate keys using simpatica, I will let you know if i face any problem.
Thanks, Amit On Wed, Jul 25, 2012 at 7:01 PM, Michele Comitini < michele.comit...@gmail.com> wrote: > 2012/7/25 Amit <amit.khaw...@gmail.com>: > > Michele, > > > > I have gone through the X509_Auth class and its methods : > > > > login_form > > > > login_url > > get_user > > > > But not able to visualize how to use this class in my model/controller, I > > just write below what I understood, please confirm > > whether I understood correctly or not. > > > > > > My requirement is : I have one web service method add() in controller > > default.py , I just want to enable x509 authentication > > so for that purpose i will use simpatica to generate keys and > certificates > > then in model class db.py I will use below code: > > > > > > """ > > Login using x509 cert from client. > > > > from gluon.contrib.login_methods.x509_auth import X509Account > > auth.settings.actions_disabled=['register','change_password', > > > > 'request_reset_password','profile'] > > auth.settings.login_form = X509Account() > > > > """ > > > > > > and then in add method I will put @auth.requires_login() annotation . > > > > My doubt: > > 1. how to configure certificate with Rocket and apache server? > > 2. how to make call of web service method with private keys from the > client? > > > > 3. I din't find X509Account class instead of that I found X509Auth > class, so > > is it the same, if yes then I need to create > > > > 1 rocket: > python web2py.py --ssl_certificate=<server pem encoded cert file> > --ssl_private_key=<server pem encoded key file> --ca-cert=<CA > certificate pem encoded file> > apache see mod_ssl config: > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html > > You can use a single file pem encoded containing: server cert, server > key, CA cert. Pass it to all the options. > > 2 What is the client? With curl: > curl --cert <client pem encoded cert + key file> ... > > With python: > you can use pycurl or httplib > (http://docs.python.org/library/httplib.html) see their docs. > > > 3 You did the right thing using X509_Auth. The error in the comment > is corrected in trunk. > The interesting part that you may want to override in a child class > is the get_user() method. Look how certificate properties are mapped > to the auth.user record (the profile variable that). You may override > those to fit your needs. > > mic > > > > > > > auth.settings.login_form = X509Auth() instance ? > > > > > > > > Thanks, > > Amit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Jul 25, 2012 at 2:28 PM, Michele Comitini > > <michele.comit...@gmail.com> wrote: > >> > >> ---- > >> simpatica > >> > >> - generate ca priv key + self signed certificate > >> - generate server priv keys + certificates signed by the above ca > >> certificate > >> - generate client priv keys + certificates signed by the above ca > >> certificate > >> > >> The client and server certificate are generated after compilation of a > >> form that requires the user to assign a password to protect the > >> private key. > >> The certificate + private keys are encoded in pkcs12 format > >> downloadable to a browser or to be unpacked with openssl or similar > >> tools after providing the above password. Remeber that if you loose > >> the password you cannot open the pkcs12. There is a recovery > >> mechanism in simpatica since the private keys are also encoded with a > >> randomly generated secret that is crypted with the ca private key. > >> It also send emails to email associated with the client informing that > >> a certificate is ready to download. > >> > >> ----- > >> Sample code > >> > >> Just look at gluon/contrib/login_methods/x509_auth.py. Look at the > >> docstring in the X509_Auth class and put that code in your model to > >> configure authentication with x509. > >> > >> Use the @auth.requires_login() annotation as you would with any action > >> requiring authentication. It is explained in: > >> > >> > http://web2py.com/books/default/chapter/29/10?search=rest#Access-Control > >> > >> > >> mic > >> > >> > >> 2012/7/25 Amit <amit.khaw...@gmail.com>: > >> > sure Michele, let me go through the code,If i am not wrong simpatica > is > >> > to > >> > generate the certificate file for the client and if you are having any > >> > sample code to use x509 in case of web service then please do share > with > >> > me. > >> > > >> > Thanks, > >> > Amit > >> > > >> > > >> > On Wed, Jul 25, 2012 at 12:34 PM, Michele Comitini > >> > <michele.comit...@gmail.com> wrote: > >> >> > >> >> Amit > >> >> If you need advice with simpatica don't worry to ask. I never had > time > >> >> to > >> >> write some documentation so you have to look at the code and/or > ask... > >> >> > >> >> mic > >> >> > >> >> > >> >> Il giorno mercoledì 25 luglio 2012 05:14:52 UTC+2, Amit ha scritto: > >> >>> > >> >>> Thanks Michele and Derek..nice post , i am looking exactly the same > :) > >> >>> > >> >>> On Wed, Jul 25, 2012 at 4:09 AM, Michele Comitini > >> >>> <michele.comit...@gmail.com> wrote: > >> >>>> > >> >>>> > >> >>>> This is very similar to what TSL accomplishes with x509 > certificates. > >> >>>> There is a slight difference, the server does not own a public key > >> >>>> for each > >> >>>> client: it verifies that the client owns an x509 certificate > signed > >> >>>> by the > >> >>>> correct certification authority. So no need to store public keys. > in > >> >>>> any > >> >>>> case AFAIK in public/private key algorithms the private key always > >> >>>> allows > >> >>>> generation of the corresponding public key, not the contrary of > >> >>>> course. > >> >>>> > >> >>>> To accomplish what you need in the simplest way you have to: > >> >>>> > >> >>>> - create a certification authority with self signed certificate > >> >>>> - create certificate for you webserver signed with the private key > of > >> >>>> the certification authority above. > >> >>>> - configure your webserver to require a client certificate (with > >> >>>> rocket > >> >>>> look at --ca-cert option) > >> >>>> - In case you need to know some infos about the connecting client > as > >> >>>> reported in its certificate you can use x509_auth.py to use x509 > >> >>>> authentication and configure your REST action with > >> >>>> @auth.requires_login(). > >> >>>> This will give you access to information contained in the > >> >>>> certificate such > >> >>>> common name or serial id. To customize you can extend the > X509_Auth > >> >>>> class. > >> >>>> > >> >>>> To generate test certificates fast you can use simpatica as Derek > >> >>>> correctly suggests. > >> >>>> > >> >>>> mic > >> >>>> > >> >>>> Il giorno martedì 24 luglio 2012 10:33:48 UTC+2, Amit ha scritto: > >> >>>>> > >> >>>>> Hi, > >> >>>>> I have to provide public/private key authentication for accessing > >> >>>>> web > >> >>>>> service (REST) from client in my web2py application.How to achieve > >> >>>>> it? > >> >>>>> > >> >>>>> Scenario: > >> >>>>> 1.Each client will have unique private key which will be sent to > the > >> >>>>> server alongwith request. > >> >>>>> 2. Server has to authenticate private key using public key(unique > >> >>>>> for > >> >>>>> each client) and then allow to access the web service method. For > >> >>>>> e.g. > >> >>>>> suppose one client say X has requested for web service "add()" so > >> >>>>> server has > >> >>>>> to first validate the public key with client's private key and if > >> >>>>> validation > >> >>>>> is successful then allow to access the web service "add()". > >> >>>>> > >> >>>>> Challenges: > >> >>>>> where to store public key of each client?we can't store it in the > db > >> >>>>> because server can't access db before validation of web service > >> >>>>> method.So > >> >>>>> will it be store somewhere in PC(where server is running)?if yes > >> >>>>> then how > >> >>>>> and which format? > >> >>>>> > >> >>>>> > >> >>>>> NOTE: Here Server will be completely written in web2py and client > is > >> >>>>> separate application running on the hardware device. > >> >>>>> > >> >>>> -- > >> >>>> > >> >>>> > >> >>>> > >> >>> > >> >>> > >> >> -- > >> >> > >> >> > >> >> > >> > > >> > > >> > -- > >> > > >> > > >> > > >> > >> -- > >> > >> > >> > > > > -- > > > > > > > > -- > > > > --
