我在我的CherryPy服务器中添加了摘要身份验证,我想知道撤销用户身份验证的标准,并提示他们再次输入凭据。删除Cookie不会强制提示,但是使用隐身模式或其他浏览器会强制提示。
我的配置:
{ 'tools.auth_digest.on': True,
'tools.auth_digest.realm': 'localhost',
'tools.auth_digest.get_ha1': auth_digest.get_ha1_dict_plain(USERS),
'tools.auth_digest.key': key,
'tools.auth_digest.accept_charset': 'UTF-8' }
谢谢
答案 0 :(得分:2)
您需要具有适当的HTTP响应,以便浏览器清除用户凭据,基本上以401 Unauthorized进行响应,并且在如何使用WWW-Authenticate标头进行身份验证方面面临挑战。
这是一个使用自定义CherryPy工具和Cookie的实现,该实现用作将意图传达给浏览器和后端的方式(HTTP身份验证是无状态的,我们必须反复来回取消身份验证和重定向)。
import cherrypy
from cherrypy.lib import auth_digest
REALM = 'localhost'
KEY = '24684651368351320asd1wdasd'
CHARSET = 'UTF-8'
@cherrypy.tools.register('before_handler')
def with_logout_handler():
if cherrypy.request.cookie.get('Unauthorize') is not None:
response = cherrypy.response
response.headers['WWW-Authenticate'] = auth_digest.www_authenticate(
realm=REALM,
key=KEY,
accept_charset=CHARSET
)
# delete the cookie that was used to mark the intention to logout
response.cookie['Unauthorize'] = 1
response.cookie['Unauthorize']['expires'] = 0
raise cherrypy.HTTPError(
401, 'You are not authorized to access that resource')
class App:
@cherrypy.expose
@cherrypy.tools.with_logout_handler()
def index(self):
return ('Welcome {}! Do you want to <a href="/logout">logout</a>?'
.format(cherrypy.request.login))
@cherrypy.expose
def logout(self):
"""
Set a cookie to give it a clue to the index method to
remove the user credentials from the following requests.
This will be handled by the tool `with_logout_handler`.
"""
cherrypy.response.cookie['Unauthorize'] = 1
raise cherrypy.HTTPRedirect("/")
def main():
users = {
'foo': 'bar'
}
cherrypy.quickstart(App(), config={
'/': {
'tools.auth_digest.on': True,
'tools.auth_digest.realm': REALM,
'tools.auth_digest.get_ha1': auth_digest.get_ha1_dict_plain(users),
'tools.auth_digest.key': KEY,
'tools.auth_digest.accept_charset': CHARSET
},
})
if __name__ == '__main__':
main()