Python code to do the *server* side of digest authentication?

[Dan Lenski]

Hi all,
I've got a very simple HTML proxy server to access the web from my
cell phone (based on this code: http://www.okisoft.co.jp/esc/python/proxy/).
It's a very retarded phone that freezes if there's no Content-Length
header and some other circumstances, so I have to tweak and modify the
headers received slightly. But it works quite well with these hacks.

Now I'd like to add proxy authentication so that I'm not running this
open proxy all the time. I would like to use Digest authentication
(http://en.wikipedia.org/wiki/Digest_access_authentication) rather
than Basic authentication so as not to expose any plaintext password.

It appears that there are plenty of Python libraries to do the
*client* side of the authentication (e.g. urllib2) but I have not
found much code that does the *server* side of the authentication.
That is, I am looking for code to generate the WWW-Authentication
header (including appropriate nonce and opaque string) and to verify
the Authorization header sent by the client when it retries.

It does not look *too* hard to implement, but it does involve crypto
and I'd just as soon use some tried-and-true code rather than roll my
own in this case. Does anyone have any suggestions of where to find
such code?

Thanks!

Dan

 

[Larry Bates]

Hi all,
I've got a very simple HTML proxy server to access the web from my
cell phone (based on this code: http://www.okisoft.co.jp/esc/python/proxy/).
It's a very retarded phone that freezes if there's no Content-Length
header and some other circumstances, so I have to tweak and modify the
headers received slightly. But it works quite well with these hacks.

Now I'd like to add proxy authentication so that I'm not running this
open proxy all the time. I would like to use Digest authentication
(http://en.wikipedia.org/wiki/Digest_access_authentication) rather
than Basic authentication so as not to expose any plaintext password.

It appears that there are plenty of Python libraries to do the
*client* side of the authentication (e.g. urllib2) but I have not
found much code that does the *server* side of the authentication.
That is, I am looking for code to generate the WWW-Authentication
header (including appropriate nonce and opaque string) and to verify
the Authorization header sent by the client when it retries.

It does not look *too* hard to implement, but it does involve crypto
and I'd just as soon use some tried-and-true code rather than roll my
own in this case. Does anyone have any suggestions of where to find
such code?

Thanks!

Dan

I think that is because normally the web server does the authentication on the
server side. Why not use Apache to do the digest authentication?

http://httpd.apache.org/docs/2.0/mod/mod_auth_digest.html

-Larry

 

[Dan Lenski]

I think that is because normally the web server does the authentication on the
server side. Why not use Apache to do the digest authentication?

http://httpd.apache.org/docs/2.0/mod/mod_auth_digest.html

-Larry

Hi Larry,

I'm sorry that I wasn't clear in my original post! I don't need to do
the server authentication on the proxy (WWW-Authentication and
Authorization). What I need to do is the *proxy* authentication
(Proxy-Authentication and Proxy-Authorization).

Those headers are identical to the first pair, but they are handled by
the proxy; if the client isn't authorized, then they can't use the
proxy.

Dan