repoze.who.plugins.browserid
repoze.who.plugins.browserid的Python项目详细描述
这是repoze.who插件,通过Mozilla的Persona项目进行身份验证, a.k.a browsserid:
https://persona.org/
它支持使用pybrowserid客户机验证browserid断言 图书馆。当前pybrowserid默认通过发布来验证断言 他们为persona.org验证服务,但它也有初步的支持 用于在本地验证断言。随着协议变得更加稳定 本地验证将成为默认设置。
插件的配置可以从标准repoze.who配置中完成 这样的文件:
[plugin:browserid] use = repoze.who.plugins.browserid:make_plugin audiences = www.mysite.com rememberer_name = authtkt [plugin:authtkt] use = repoze.who.plugins.auth_tkt:make_plugin secret = My Special Secret [identifiers] plugins = authtkt browserid [authenticators] plugins = authtkt browserid [challengers] plugins = browserid
注意,我们已经将browserid插件与标准authtkt插件配对 这样它就可以记住用户跨请求的登录。
定制
可以在配置文件中指定以下设置以自定义 插件的行为:
audiences: A space-separated list of acceptable hostnames or glob patterns for the BrowserID assertion audience. Any assertion whose audience does not match an item in the list will be rejected.
You must specify a value for this setting, since it is integral to the security of BrowserID. See the Security Notes section below for more details.
rememberer_name: The name of another repoze.who plugin which should be called to remember/forget the authentication. This would typically be a signed-cookie implementation such as the built-in auth_tkt plugin. If unspecificed or None then authentication will not be remembered.
postback_url: The URL to which BrowserID credentials should be sent for validation. The default value is hopefully conflict free: /repoze.who.plugins.browserid.postback.
assertion_field: The name of the POST form field in which to find the BrowserID assertion. The default value is “assertion”.
came_from_field: The name of the POST form field in which to find the referring page, to which the user will be redirected after processing their login. The default value is “came_from”.
csrf_field: The name of the POST form field in which to find the CSRF protection token. The default value is “csrf_token”. If set to the empty string then CSRF checking is disabled.
csrf_cookie_name: The name of the cookie in which to set and find the CSRF protection token. The default cookie name is “browserid_csrf_token”. If set to the empty string then CSRF checking is disabled.
challenge_body: The location at which to find the HTML for the login page, either as a dotted python reference or a filename. The contained HTML may use python string interpolation syntax to include details of the challenge, e.g. use %(csrf_token)s to include the CSRF token.
verifier: The PyVEP Verifier object to use for checking assertions, or the dotted python name of such an object. The default value is vep.RemoteVerifier() which should be suitable for most purposes.
check_https: Boolean indicating whether to reject login attempts over enencrypted connections. The default value is False.
check_referer: Boolean indicating whether to reject login attempts where the referer header does not match the expected audience. The default is to perform this check for secure connections only.
安全说明
CSRF保护
这个插件试图提供一些基本的保护,防止登录csrf Barth等人描述的攻击。在“跨站点的强大防御” 请求伪造“:
http://seclab.stanford.edu/websec/csrf/csrf.pdf
在上述文件的术语中,它结合了一个独立于会话的 nonce与严格的referer检查安全连接。你可以调整 通过调整“csrf_cookie_name”、“check_referer”和 “检查https”设置。
观众检查
browserid使用“观众”的概念来防止登录被盗。 观众将浏览的断言绑定到特定的主机,以便 攻击者无法在一个站点上收集断言,然后使用它们登录到 另一个。
默认情况下,此插件执行严格的访问群体检查。你必须提供 创建插件时可接受的访问群体字符串的列表,它们应该 具体到你的申请。例如,如果您的应用程序提供 三个不同主机名http://mysite.com,http://www.mysite.com上的请求 以及http://uploads.mysite.com,您可以提供:
[plugin:browserid] use = repoze.who.plugins.browserid:make_plugin audiences = mysite.com *.mysite.com
如果应用程序严格检查http主机头,则可以 通过离开列表指示插件使用主机头作为访问群体 空白:
[plugin:browserid] use = repoze.who.plugins.browserid:make_plugin audiences =
这不是默认行为,因为在某些系统上可能不安全。
0.5.0-2012年9月11日
- Fix javascript to use navigator.id.get() instead of the deprecated navigator.id.getVerifiedEmail.
0.4.0-2012年7月17日
- Migrate from PyVEP to PyBrowserID.
0.3.1-2012年1月30日
- Don’t choke on unicode in challenge_body; thanks catlee.
- Update license to MPL 2.0.
0.3.0-2012-01-06
- Update for API compatability with PyVEP>=0.3.0.
0.2.1-2011年12月07日
- Update for API compatability with PyVEP>=0.2.0.
0.2.0-2011年12月1日
- Refactor verification code into a standand-alone library named “PyVEP”, which is now a dependency.
0.1.0-2011年11月15日
- Initial release.