I need to build a python web server which supports 2 different types of users :
"Super admins", which get full access to the admin panel when they connect using a pre-configured laptop/browser.
Admins, which get limited access to the admin panel and can connect using only a username/password combo.
I'm thinking SSL client authentication is a possible solution for authentifying the technicians.
Note that the web server will be embedded in a product and will not have internet access, so cannot connect to a CA.
Is SSL client authentication a good solution, or is there a simpler, or better option?
Here's what I've found...
CherryPy seems to be a very nice, simple python web server. However, it does not seem to support client authentification.
M2Crypto seems like a very complete library which supports all forms of SSL authentification, however I haven't found a detailed example of how to set up a python web server using M2Crypto for SSL client authentification.
pyOpenSSL seems to be dead.
I also found a recipe, which explains how to set up a python web server with SSL. However...
With this recipe, only the server is authenticated while the client
remains unauthenticated (i.e. the server will not request a client
certificate).
Source : http://code.activestate.com/recipes/442473-simple-http-server-supporting-ssl-secure-communica/
Can someone point me in the right direction or link to a well documented implementation of what I'm trying to do?
Thank you :)
Take a look at the twisted libraries: http://twistedmatrix.com/documents/current/core/examples/index.html
There is a simple echoservl_ssl and echoclient_ssl example in the link as well.
Optionally, bundle apache + any web framework and you're golden. There are loads of articles online about small embedded web servers.
Related
I need to build a Django web-app. My web-app needs to support authentication and authorization using OpenID Connect. It is my first time doing this. Is there a free Identity Provider to test my application or do I need to write the provider and the client? My task is to write only the client that connects to the provider. An example would be great or some course/tutorial I can use to learn how to do this.
Maybe there are no good examples in Django but I know ASN.NET and Java so those examples could inspire me as well.
There are a bunch of OpenID Connect providers you can use to test your client: you can sign up for a free Auth0 or Okta developer sandbox, download and run IdentityServer locally, or try the OAuth2 Playground.
As for writing the client. Please don't write your own. There are a list of libraries from the OpenId Foundation. I've used pyoidc for a non Django application, you could hook that in to your app, or use one of the Django specific OpenID Connect libraries.
checkout this example using both provider (django app using django-oidc-provider package) and client (using JS).
https://django-oidc-provider.readthedocs.io/en/latest/sections/examples.html
Task: add Kerberos active directory authentication to an insecure reporting and data manipulation desktop application. This app is...
written in Stackless Python 2.7
uses Twisted for client-server interactions
Client is compiled to an exe and runs on Windows
Servers run on Linux (Red Hat)
Currently we pull the Windows network ID (logon name) from the user's account and pass to the server, which looks up what permissions that user is configured to have, and passes back menu options which provide access just to those features. Main weakness is that one could send a different username to the server and access other permissions.
Therefore Kerberos. (And LDAP, from what I read.)
Question:
Does Twisted provide a built-in Kerberos setup?
authkerb perhaps?
I found authkerb after a ton of searching, but I don't see feedback from anyone using it. I'm not sure where to start. If anyone has experience with this, or if you've run across any relevant info to implementing Kerberos specifically with Twisted, I'd appreciate it immensely!
I've never touched anything like Kerberos before, so I read up on it:
kerberos.org/software/tutorial.html
technet.microsoft.com/library/cc961976
web.mit.edu/kerberos/krb5-latest/doc/appdev/init_creds.html
web.mit.edu/kerberos/krb5-1.12/doc/user/tkt_mgmt.html
Also found tips on what to avoid:
faqs.org/faqs/kerberos-faq/general/section-83.html
Twisted does not.
However, http://calendarserver.org, which is bassed on Twisted, does have kerberos authentication, and was the originator of the https://pypi.python.org/pypi/pykerberos project. It should serve as a workable example.
I have a python script that wants to communicate via HTTPS to a flask application using a self-signed certificate.
I've created an SSL certificate with openssl. I want flask to only accept connections that use that certificate and refuse those that do not.
Can anyone give some thoughts of how can I do that?
I don't think flask is capable of that. Flask only takes care of the content building stuff. It in fact uses Werkzeug as backend while in development mode.
During development, werkzeug's builtin server supports SSL for testing purposes:
run_simple('localhost', 4000, application,
ssl_context=('/path/to/the/key.crt',
'/path/to/the/key.key'))
Details can be found here.
When it comes to production, a flask project has to be depolyed with a WSGI backend that is more productive. There are many backends out there like gunicorn and uWSGI(with nginx). If you choose to use one of them, You may want to check out their documentation to find about how to add HTTPS support.
I have python flask running on my server exposing a REST API that is being consumed by an iOS app. I'm using HTTP Basic Authentication using the Flask-HTTPAuth: module. I wanted to know how secure this is because the username:password string would be sent on every request.
Do I need to use HTTPS instead?
Thanks!
Sorry for bad english. Still learning.
Your current system is (very!) insecure, the login information can be seen during transit by anyone.
The easiest way to add secure HTTP is to install a proxy server like nginx. Then nginx is configured for secure HTTP, but it relays all the requests to the Flask application listening on a private socket without encryption.
This link will send you to the nginx documentation on secure HTTP.
Alternatively, you can have HTTPS running directly from Flask. The link has clear instructions of how to do this. It is a quick, easy method to use while developing.
For production, I'd use Apache's mod_ssl function, or as already stated by Miguel, nginx, as proxy servers.
I would like to know how to implement single sign on in a python web application. The application would run on a Windows Server in an Active Directory domain.
The clients would also be in the domain.
What I would like is that the authentication occurs automatically, like Windows Authentication in Asp.Net (The browser automatically authenticates the user using NTLM or whatever, without ever popping a credentials window).
Is there a library that supports handling the authentication against Active directory or better yet, that generates all the required http headers ?
The application would probably be developped using flask or bottle.
It would also be cool if there as a wsgi middleware that does this authentication automatically.
Try sso.py. I haven't tried it myself, but it looks promising.