(Migrated) basic authentication

(This message has been automatically imported from the retired mailing list)

I am wondering if zato http basic authentication is just that? or is using
http digest authentication to have a little more secure service execution?.
I notice that sec_wall, the library used by zato and developed by Dariusz
too, have support for digest authentication, otherwise is like mandatory
the use of https for secure the communication between the client and the
server.
Is there any way to convert http basic authentication in http digest
authentication right now?

I found this middleware library that can be used for what you describe,
https://bitbucket.org/lcrees/wsgiauth, it have the class DigestAuth that
can be used in conjunction with a WSGI environment, as you suggest.
It’s simple and do the work

many thanks,

On Tue, Feb 4, 2014 at 2:54 PM, Dariusz Suchojad dsuch@zato.io wrote:

On 01/30/2014 02:47 AM, Axel Mendoza Pupo wrote:

I am wondering if zato http basic authentication is just that? or is
using http digest authentication to have a little more secure service
execution?. I notice that sec_wall, the library used by zato
and developed by Dariusz too, have support for digest authentication,
otherwise is like mandatory the use of https for secure the
communication between the client and the server.
Is there any way to convert http basic authentication in http digest
authentication right now?

I’d say Basic Auth over TLS is the most convenient and secure mechanism
that one can get right now. That, or TLS alone with client certificates.

Both things are possible with git master.

As for HTTP Digest - this isn’t possible right now. sec_wall’s digest is
for WS-Security only which is a different auth scheme.

If you’d like to use HTTP Digest as of now you’d need to create a plain
HTTP channel and set its security to ‘No security’.

Then in your channel you’d need a method for performing the HTTP Digest
checks yourself basing on what you can find in self.wsgi_environ

https://zato.io/docs/progguide/service-dev.html#wsgi-environ

This is WSGI data so when you combine it with a Python library for HTTP
Digest I’m sure it can be used to perform that kind of authentication
even though Zato itself cannot do it.

If you follow this way, I’d greatly appreciate it if you could share
your experience in implementing it - this could serve as a basis for
adding it to Zato core.

thanks a lot,


Dariusz Suchojad

https://zato.io
ESB, SOA and cloud integrations in Python

On 01/30/2014 02:47 AM, Axel Mendoza Pupo wrote:

I am wondering if zato http basic authentication is just that? or is
using http digest authentication to have a little more secure service
execution?. I notice that sec_wall, the library used by zato
and developed by Dariusz too, have support for digest authentication,
otherwise is like mandatory the use of https for secure the
communication between the client and the server.
Is there any way to convert http basic authentication in http digest
authentication right now?

I’d say Basic Auth over TLS is the most convenient and secure mechanism
that one can get right now. That, or TLS alone with client certificates.

Both things are possible with git master.

As for HTTP Digest - this isn’t possible right now. sec_wall’s digest is
for WS-Security only which is a different auth scheme.

If you’d like to use HTTP Digest as of now you’d need to create a plain
HTTP channel and set its security to ‘No security’.

Then in your channel you’d need a method for performing the HTTP Digest
checks yourself basing on what you can find in self.wsgi_environ

https://zato.io/docs/progguide/service-dev.html#wsgi-environ

This is WSGI data so when you combine it with a Python library for HTTP
Digest I’m sure it can be used to perform that kind of authentication
even though Zato itself cannot do it.

If you follow this way, I’d greatly appreciate it if you could share
your experience in implementing it - this could serve as a basis for
adding it to Zato core.

thanks a lot,

On 01/30/2014 02:47 AM, Axel Mendoza Pupo wrote:

I am wondering if zato http basic authentication is just that? or is
using http digest authentication to have a little more secure service
execution?. I notice that sec_wall, the library used by zato
and developed by Dariusz too, have support for digest authentication,
otherwise is like mandatory the use of https for secure the
communication between the client and the server.
Is there any way to convert http basic authentication in http digest
authentication right now?

I’d say Basic Auth over TLS is the most convenient and secure mechanism
that one can get right now. That, or TLS alone with client certificates.

Both things are possible with git master.

As for HTTP Digest - this isn’t possible right now. sec_wall’s digest is
for WS-Security only which is a different auth scheme.

If you’d like to use HTTP Digest as of now you’d need to create a plain
HTTP channel and set its security to ‘No security’.

Then in your channel you’d need a method for performing the HTTP Digest
checks yourself basing on what you can find in self.wsgi_environ

https://zato.io/docs/progguide/service-dev.html#wsgi-environ

This is WSGI data so when you combine it with a Python library for HTTP
Digest I’m sure it can be used to perform that kind of authentication
even though Zato itself cannot do it.

If you follow this way, I’d greatly appreciate it if you could share
your experience in implementing it - this could serve as a basis for
adding it to Zato core.

thanks a lot,