在金字塔中混合身份验证策略
[英]Mixing Authentication Policies in Pyramid
问题描述
I am writing an application that will have some HTML content (display tables etc.) and also have a JSON API. 
我正在编写一个具有一些HTML内容(显示表等)并且还具有JSON API的应用程序。
For normal HTML I use AuthTktAuthenticationPolicy for authentication and ACLAuthorizationPolicy for authorization. 对于普通的HTML,我使用AuthTktAuthenticationPolicy进行身份验证,并使用ACLAuthorizationPolicy进行授权。 So the user is presented with a login form and on successful login auth_tkt cookie is set. 因此,向用户显示一个登录表单,并在成功登录auth_tkt设置auth_tkt cookie。 The system works fine. 系统工作正常。
Now I want to replicate a similar system for JSON API. 现在,我想为JSON API复制一个类似的系统。 The problem is that for API requests user will not necessarily be logged in. So each request requires an api_key parameter. 问题在于,对于API请求,用户不一定要登录。因此,每个请求都需要一个api_key参数。 Based on the key, if I find a valid user, I send back the JSON. 根据密钥,如果我找到一个有效的用户,我将发送回JSON。 Otherwsie I display a 403 page. 其他我显示403页。
One way is to do this in each view 一种方法是在每个视图中执行此操作
api_key = request.GET.get('api_key',None)
user = FrontEndUsers.User_by_api_key(api_key)
if user:
#Process view
else:
return HTTPForbidden
However, it seems too much of a boiler-plate to use for each view to do exaclty what an authentication policy would do. 但是,似乎每个视图都无法使用样板程序来完成身份验证策略将要执行的操作。 Can I specify a separate authentication policy for JSON routes? 我可以为JSON路由指定单独的身份验证策略吗? Or is there any other way of doing this? 还是有其他方法可以做到这一点?
EDIT 编辑
On second thoughts it seems that even with AuthTktAuthenticationPolicy , I have to do security.authenticated_userid() in every view (If I need authentication info). 再次考虑,似乎即使使用AuthTktAuthenticationPolicy ,我也必须在每个视图中执行security.authenticated_userid() (如果我需要身份验证信息)。 This I have already factored into a separate function 我已经将其分解为一个单独的功能
def get_auth_info():
user_id = security.authenticated_userid()
login_info = {}
if user_id is not None:
login_info['login'] = True
login_info['logged_in_user'] = FrontendUsers.get_user_by_id(user_id).name
else:
login_info['login'] = False
return login_info
I can include the API_key check function call in this function so that none of my views change (I still only call get_auth_info() ) and yet I can check if correct API key has been presented. 我可以在此函数中包括API_key check函数调用,这样我的视图都不会改变(我仍然只调用get_auth_info() ),但是我可以检查是否提供了正确的API密钥。
I'd still like to see if there are any other ways to do this or if there's a problem with my current scheme 我仍然想看看是否有其他方法可以执行此操作,或者我当前的方案是否存在问题
1 个解决方案
解决方案1
2 已采纳 2013-07-03 15:18:39
You didn't mention anywhere in here how you're using permissions? 您在这里的任何地方都没有提到权限的使用方式? Proper usage of permissions and ACLs on your views should prevent you from needing to run that boilerplate at the start of your function. 在视图上正确使用权限和ACL应该可以防止您在功能开始时运行该样板。 For the simple paste you showed, you simply need a permission='logged_in' and an ACE mapping (Allow, Authenticated, 'logged_in') , but of course you can get more complex if necessary. 对于您显示的简单粘贴,您只需要一个permission='logged_in'和一个ACE映射(Allow, Authenticated, 'logged_in') ,但是当然,如果需要,您可以变得更加复杂。
It is not possible to specify different authentication policies for different views in a simple way because authentication policies in pyramid are intended to be global. 由于金字塔中的身份验证策略旨在全局,因此无法以简单的方式为不同的视图指定不同的身份验证策略。 You can do it globally via the pyramid_multiauth. 您可以通过pyramid_multiauth在全球范围内进行操作。 Or you may write your own policy that wraps multiple policies and dispatches to one or another depending on request properties. 或者,您可以编写自己的策略,该策略包装多个策略并根据请求属性分派给一个或另一个。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.