我向我的 CherryPy 服务器添加了摘要式身份验证,我想知道用户的身份验证被撤销并提示他们再次输入凭据的条件。删除 Cookie 不会强制提示,但使用隐身或其他浏览器会强制提示。
我的配置:
{ 'tools.auth_digest.on': True,
'tools.auth_digest.realm': 'localhost',
'tools.auth_digest.get_ha1': auth_digest.get_ha1_dict_plain(USERS),
'tools.auth_digest.key': key,
'tools.auth_digest.accept_charset': 'UTF-8' }
谢谢
您需要具有正确的HTTP响应,以便浏览器清除用户凭据,基本上是使用401 Unauthorized响应以及如何使用WWW-Authenticate标头进行身份验证的挑战。
这是一个使用自定义 CherryPy 工具和一个用于向浏览器和后端传达意图的Cookie实现(HTTP 身份验证是无状态的,我们必须来回进行 deauth 和重定向(。
import cherrypy
from cherrypy.lib import auth_digest
REALM = 'localhost'
KEY = '24684651368351320asd1wdasd'
CHARSET = 'UTF-8'
@cherrypy.tools.register('before_handler')
def with_logout_handler():
if cherrypy.request.cookie.get('Unauthorize') is not None:
response = cherrypy.response
response.headers['WWW-Authenticate'] = auth_digest.www_authenticate(
realm=REALM,
key=KEY,
accept_charset=CHARSET
)
# delete the cookie that was used to mark the intention to logout
response.cookie['Unauthorize'] = 1
response.cookie['Unauthorize']['expires'] = 0
raise cherrypy.HTTPError(
401, 'You are not authorized to access that resource')
class App:
@cherrypy.expose
@cherrypy.tools.with_logout_handler()
def index(self):
return ('Welcome {}! Do you want to <a href="/logout">logout</a>?'
.format(cherrypy.request.login))
@cherrypy.expose
def logout(self):
"""
Set a cookie to give it a clue to the index method to
remove the user credentials from the following requests.
This will be handled by the tool `with_logout_handler`.
"""
cherrypy.response.cookie['Unauthorize'] = 1
raise cherrypy.HTTPRedirect("/")
def main():
users = {
'foo': 'bar'
}
cherrypy.quickstart(App(), config={
'/': {
'tools.auth_digest.on': True,
'tools.auth_digest.realm': REALM,
'tools.auth_digest.get_ha1': auth_digest.get_ha1_dict_plain(users),
'tools.auth_digest.key': KEY,
'tools.auth_digest.accept_charset': CHARSET
},
})
if __name__ == '__main__':
main()