Authenticating with Cherrypy

Question

This page of the CherryPy documentation contains the following snippet:

from cherrypy.lib import auth_digest

USERS = {'jon': 'secret'}

conf = {
   '/protected/area': {
        'tools.auth_digest.on': True,
        'tools.auth_digest.realm': 'localhost',
        'tools.auth_digest.get_ha1': auth_digest.get_ha1_dict_plain(USERS),
        'tools.auth_digest.key': 'a565c27146791cfb'
   }
}

cherrypy.quickstart(myapp, '/', conf)

What do the 4 item starting with tools.auth_digest mean?

Answer 1

Digest is an authentication mechanism that is slightly more secure than basic authentication, see the definition here What is digest authentication?

I had a look through the CherryPy source to see if there was any kind of documentation on what the arguments meant, from this file it says that the arguments are:

realm
    A string containing the authentication realm.

get_ha1
    A callable which looks up a username in a credentials store
    and returns the HA1 string, which is defined in the RFC to be
    MD5(username : realm : password).  The function's signature is:
    ``get_ha1(realm, username)``
    where username is obtained from the request's 'authorization' header.
    If username is not found in the credentials store, get_ha1() returns
    None.

key
    A secret string known only to the server, used in the synthesis of nonces.

The on flag will (hopefully obviously) just enable digest authentication and the force it to search for digest parameters instead of basic auth parameters.

Note that the get_ha1 parameter is a callable, from searching the file there are 3 versions:

get_ha1_dict_plain
get_ha1_dict
get_ha1_file_htdigest

There is appropriate docstrings on these functions if you want to see exactly how they work.

Hope this helped!