我向 CherryPy 服务器添加了摘要身份验证,我想知道撤销用户身份验证的标准是什么,并提示他们再次输入凭据。删除 cookie 不会强制出现提示,但使用隐身或其他浏览器会强制出现提示。
我的配置:
{ 'tools.auth_digest.on': True,
'tools.auth_digest.realm': 'localhost',
'tools.auth_digest.get_ha1': auth_digest.get_ha1_dict_plain(USERS),
'tools.auth_digest.key': key,
'tools.auth_digest.accept_charset': 'UTF-8' }
谢谢
最佳答案
您需要有正确的 HTTP 响应,以便浏览器清除用户凭据,基本上以 401 Unauthorized 进行响应以及如何使用 WWW-Authenticate 进行身份验证的挑战 header 。
这是使用自定义 CherryPy 工具和 Cookie 的实现它被用作向浏览器和后端传达意图的方式(HTTP 身份验证是无状态的,我们必须来回解除身份验证和重定向)。
import cherrypy
from cherrypy.lib import auth_digest
REALM = 'localhost'
KEY = '24684651368351320asd1wdasd'
CHARSET = 'UTF-8'
@cherrypy.tools.register('before_handler')
def with_logout_handler():
if cherrypy.request.cookie.get('Unauthorize') is not None:
response = cherrypy.response
response.headers['WWW-Authenticate'] = auth_digest.www_authenticate(
realm=REALM,
key=KEY,
accept_charset=CHARSET
)
# delete the cookie that was used to mark the intention to logout
response.cookie['Unauthorize'] = 1
response.cookie['Unauthorize']['expires'] = 0
raise cherrypy.HTTPError(
401, 'You are not authorized to access that resource')
class App:
@cherrypy.expose
@cherrypy.tools.with_logout_handler()
def index(self):
return ('Welcome {}! Do you want to <a href="/logout">logout</a>?'
.format(cherrypy.request.login))
@cherrypy.expose
def logout(self):
"""
Set a cookie to give it a clue to the index method to
remove the user credentials from the following requests.
This will be handled by the tool `with_logout_handler`.
"""
cherrypy.response.cookie['Unauthorize'] = 1
raise cherrypy.HTTPRedirect("/")
def main():
users = {
'foo': 'bar'
}
cherrypy.quickstart(App(), config={
'/': {
'tools.auth_digest.on': True,
'tools.auth_digest.realm': REALM,
'tools.auth_digest.get_ha1': auth_digest.get_ha1_dict_plain(users),
'tools.auth_digest.key': KEY,
'tools.auth_digest.accept_charset': CHARSET
},
})
if __name__ == '__main__':
main()
关于python - CherryPy 身份验证超时,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57390780/