Authentication and Authorization认证和授权(flask-eve)

发布于 2014/11/19 13:37
字数 2522
阅读 90
收藏 0
点赞 0
评论 0

原文地址 http://python-eve.org/authentication.html

Introduction to Security  安全入门

Authentication is the mechanism whereby systems may securely identify their users. Eve supports several authentication schemes: Basic Authentication, Token Authentication, HMAC Authentication.

认证是让系统可以安全识别他们用户的机制,eve支持几种认证模式:Basic Authentication, Token Authentication, HMAC Authentication.

Authorization is the mechanism by which a system determines what level of access a particular (authenticated) user should have access to resources controlled by the system. In Eve, you can restrict access to all API endpoints, or only some of them. You can protect some HTTP verbs while leaving others open. For example, you can allow public read-only access while leaving item creation and edition restricted to authorized users only. You can also allow GET access for certain requests and POST access for others by checking the method parameter. There is also support for role-based access control.


Security is one of those areas where customization is very important. This is why you are provided with a handful of base authentication classes. They implement the basic authentication mechanism and must be subclassed in order to implement authorization logic. No matter which authentication scheme you pick the only thing that you need to do in your subclass is override the check_auth() method.


Global Authentication  全局认证

To enable authentication for your API just pass the custom auth class on app instantiation. In our example we’re going to use the BasicAuth base class, which implements the Basic Authentication scheme:



All your API endpoints are now secured, which means that a client will need to provide the correct credentials in order to consume the API:


By default access is restricted to all endpoints for all HTTP verbs (methods), effectively locking down the whole API.


But what if your authorization logic is more complex, and you only want to secure some endpoints or apply different logics depending on the endpoint being consumed? You could get away with just adding logic to your authentication class, maybe with something like this:



If needed, this approach also allows to take the request method into consideration, for example to allow GET requests for everyone while forcing validation on edits (POST, PUT, PATCH, DELETE).


Endpoint-level Authentication 端点级别认证

The one class to bind them all approach seen above is probably good for most use cases but as soon as authorization logic gets more complicated it could easily lead to complex and unmanageable code, something you don’t really want to have when dealing with security.


Wouldn’t it be nice if we could have specialized auth classes that we could freely apply to selected endpoints? This way the global level auth class, the one passed to the Eve constructor as seen above, would still be active on all endpoints except those where different authorization logic is needed. Alternatively, we could even choose to not provide a global auth class, effectively making all endpoints public, except the ones we want protected. With a system like this we could even choose to have some endpoints protected with, say, Basic Authentication while others are secured with Token, or HMAC Authentication!


Well, turns out this is actually possible by simply enabling the resource-level authentication setting when we are defining the API domain.

原来通过定义api domain,简单的资源级别的认证设置就可以实现。

And that’s it. The people endpoint will now be using the MySuperCoolAuth class for authentication, while the invoices endpoint will be using the general-purpose auth class if provided or else it will just be open to the public.


There are other features and options that you can use to reduce complexity in your auth classes, especially (but not only) when using the global level authentication system. Lets review them.


Global Endpoint Security  全局端点安全

You might want a public read-only API where only authorized users can write, edit and delete. You can achieve that by using the PUBLIC_METHODS and PUBLIC_ITEM_METHODS global settings. Add the following to your settings.py:

你可能想要一个开放的只读api,仅仅认证用户可以修改,编辑,删除。你可以用 PUBLIC_METHODS,PUBLIC_ITEM_METHODS全局设置来达到目的,添加下面的设置:

And run your API. POST, PATCH and DELETE are still restricted, while GET is publicly available at all API endpoints. PUBLIC_METHODS refers to resource endpoints, like /people, while PUBLIC_ITEM_METHODS refers to individual items like /people/id.

运行你的api,POST, PATCH and DELETE仍然受限制,而get是对所有资源开放的,PUBLIC_METHODS对应资源端点像/people,而PUBLIC_ITEM_METHODS对应独立的子类别,像/people/id

Custom Endpoint Security 自定义端点安全

Suppose that you want to allow public read access to only certain resources. You do that by declaring public methods at resource level, while declaring the API domain:

假如你想要对某部分资源开放只读权限,你可以在资源级别定义开放方法,像这样设置api domain:


Be aware that, when present, resource settings override global settings. You can use this to your advantage. Suppose that you want to grant read access to all endpoints with the only exception of /invoices. You first open read access for all endpoints:



Then you protect the private endpoint:然后你保护要保护的资源。

Effectively making invoices a restricted resource.很好的让invoices收到访问限制

Basic Authentication 基础认证

The eve.auth.BasicAuth class allows the implementation of Basic Authentication (RFC2617). It should be subclassed in order to implement custom authentication.

eve.auth.BasicAuth类允许实现 Basic Authentication ,为了实现自定义认证,应该成为其子类

Basic Authentication with bcrypt  用bcrypt做基础认证

Encoding passwords with bcrypt is a great idea. It comes at the cost of performance, but that’s precisely the point, as slow encoding means very good resistance to brute-force attacks. For a faster (and less safe) alternative, see the SHA1/MAC snippet further below.


This script assumes that user accounts are stored in an accounts MongoDB collection, and that passwords are stored as bcrypt hashes. All API resources/methods will be secured unless they are made explicitly public.

下面的代码假设用户账户已经保持到一个accounts的mongodb集合中,密码是用bcrypt hash保持,所有api资源将会安全除了他们特别的被开放。

Basic Authentication with SHA1/HMAC 用sha1/hmac做基础认证


Token-Based Authentication 基于令牌的认证

Token-based authentication can be considered a specialized version of Basic Authentication. The Authorization header tag will contain the auth token as the username, and no password.


HMAC Authentication HMAC认证

The eve.auth.HMACAuth class allows for custom, Amazon S3-like, HMAC (Hash Message Authentication Code) authentication, which is basically a very secure custom authentication scheme built around the Authorization header.

eve.auth.HMACAuth类用于自定义, Amazon S3-like。HMAC认证基于一个安全的自定义认证模式,

How HMAC Authentication Works  HMAC认证如何运行

The server provides the client with a user id and a secret key through some out-of-band technique (e.g., the service sends the client an e-mail containing the user id and secret key). The client will use the supplied secret key to sign all requests.

When the client wants to send a request, he builds the complete request and then, using the secret key, computes a hash over the complete message body (and optionally some of the message headers if required)

Role Based Access Control 角色控制

The code snippets above deliberately ignore the allowed_roles parameter. You can use this parameter to restrict access to authenticated users who also have been assigned specific roles.

上面的代码片段故意忽略了 allowed_roles参数,你可以它来限制赋予特别角色的认证用户访问权限。

First, you would use the new ALLOWED_ROLES and ALLOWED_ITEM_ROLES global settings (or the corresponding allowed_roles and allowed_item_roles resource settings).


User-Restricted Resource Access 用户受限资源访问

When this feature is enabled, each stored document is associated with the account that created it. This allows the API to transparently serve only account-created documents on all kinds of requests: read, edit, delete and of course create. User authentication needs to be enabled for this to work properly.


At the global level this feature is enabled by setting AUTH_FIELD and locally (at the endpoint level) by setting auth_field. These properties define the name of the field used to store the id of the user who created the document. So for example by setting AUTH_FIELD to user_id, you are effectively (and transparently to the user) adding a user_id field to every stored document. This will then be used to retrieve/edit/delete documents stored by the user.

© 著作权归作者所有

共有 人打赏支持
粉丝 1
博文 6
码字总数 3543
作品 0
HTTP Basic Authentication_基本认证机制

HTTP Basic Authentication_基本认证机制 HTTP为认证提供了一种原生工具。 尽管我们可以在HTTP的认证形式和cookie的基础上运行自己的认证工具,但在很多情况下,HTTP的原生认证功能就可以很好...

秋风醉了 ⋅ 2014/03/18 ⋅ 1

spring security4学习(二)spring-boot结合spring security实现http basic Authentication

HTTP Basic Authentication基本认证机制 HTTP为认证提供了一种原生工具。 尽管我们可以在HTTP的认证形式和cookie的基础上运行自己的认证工具,但在很多情况下,HTTP的原生认证功能就可以很好...

Victor_Cindy1 ⋅ 2017/06/26 ⋅ 0

Tacacs ACS 服务器使用搭建配置

1.搭建服务器 1.使用相关ACS5.2ISO镜像,在虚拟机上安装,略(简单) 2.破解lisence : 安装完毕reload 重起,进入单用户模式 挂在硬盘mount –t iso9660 /dev/cdrom /media/cdrom/(记得先把...

科技小能手 ⋅ 2017/11/12 ⋅ 0


中国XX银行河北省分行 ACS项目实施方案 TACACS+认证 目录 项目背景........................................................................ 3 资源配置.....................................

sunx990 ⋅ 2016/01/30 ⋅ 0


基本配置: R1: R2: PC: ACS: #################################### 认证: Step1:启用AAA、线下保护指定AAAServer R1(config)#aaa ......

墨鱼排骨汤 ⋅ 2017/03/25 ⋅ 0

act-aaa 1.1.0 发布,重写 AAA Facade

Act-AAA 是为 Act 应用程序提供的认证授权记( Authentication/Authorization/Accouting )账插件, 可以非常方便地设计应用的认证和授权机制, 并支持数据级别的授权. act-aaa-1.1.0 #1 重写了 ...

罗格林 ⋅ 2017/04/19 ⋅ 9

Cisco ASA 9.4之SSLVPN与CiscolSE实验示例

近日利用EVE-NG搭建了一个SSLVPN实验,在此之前一个对VPN之类的玩意没有接触过,故实验花了三天时间研究。以下为实验的拓扑图。 实验说明:1. CiscoASA 9.4 用于SSLVPN Server,Outside 网关...

的BLOG ⋅ 2017/11/28 ⋅ 0

EVE-NG之ASA Anyconnect 桥接VMWare ISE实验

近日利用EVE-NG搭建了一个SSLVPN实验,在此之前一个对VPN之类的玩意没有接触过,故实验花了三天时间研究。以下为实验的拓扑图。 实验说明:1. CiscoASA 9.4 用于SSLVPN Server,Outside 网关...

arckyli ⋅ 2017/11/12 ⋅ 0

Spring Security 学习总结(1)

最近在看Spring Security, 把学习的过程记录一下。 spring security 版本:3.2.7.RELEASE + Java Configuration. Spring Security 是什么? Spring Security 是一个框架,提供比较全面的安全服...

平江夜弹 ⋅ 2015/06/01 ⋅ 0


Shiro(发音shee-roh)是什么:apache的一个Java安全框架,由2003年开始的"JSecurity"项目发展而来,比Spring Security简单些。 Shiro官网:http://shiro.apache.org/ Shiro能干什么:帮助我...

lzg14 ⋅ 2014/05/30 ⋅ 1





从 Confluence 5.3 及其早期版本中恢复空间

如果你需要从 Confluence 5.3 及其早期版本中的导出文件恢复到晚于 Confluence 5.3 的 Confluence 中的话。你可以使用临时的 Confluence 空间安装,然后将这个 Confluence 安装实例升级到你现...

honeymose ⋅ 今天 ⋅ 0


最近两年,著名的自媒体网站今日头条可以说是火得一塌糊涂,虽然从目前来看也遇到了一点瓶颈,毕竟发展到了一定的规模,继续增长就更加难了,但如今的今日头条规模和流量已经非常大了。 我们...

原创小博客 ⋅ 今天 ⋅ 0


本文讲解 MyBatis 四大核心概念(SqlSessionFactoryBuilder、SqlSessionFactory、SqlSession、Mapper)。 MyBatis 作为互联网数据库映射工具界的“上古神器”,训有四大“神兽”,谓之:Sql...

waylau ⋅ 今天 ⋅ 0


web3j(org.web3j)是Java版本的以太坊JSON RPC接口协议封装实现,如果需要将你的Java应用或安卓应用接入以太坊,或者希望用java开发一个钱包应用,那么用web3j就对了。 web3j的功能相当完整...

汇智网教程 ⋅ 今天 ⋅ 0


重点提示: 线程的本质上只是一个壳子,真正的逻辑其实在“竞态条件”中。 举个例子,比如本题中的打印,那么在竞态条件中,我只需要一个方法即可; 假如我的需求是2个线程,一个+1,一个-1,...

Germmy ⋅ 今天 ⋅ 0

Springboot2 之 Spring Data Redis 实现消息队列——发布/订阅模式

一般来说,消息队列有两种场景,一种是发布者订阅者模式,一种是生产者消费者模式,这里利用redis消息“发布/订阅”来简单实现订阅者模式。 实现之前先过过 redis 发布订阅的一些基础概念和操...

Simonton ⋅ 今天 ⋅ 0

error:Could not find gradle

一.更新Android Studio后打开Project,报如下错误: Error: Could not find com.android.tools.build:gradle:2.2.1. Searched in the following locations: file:/D:/software/android/andro......

Yao--靠自己 ⋅ 昨天 ⋅ 0

Spring boot 项目打包及引入本地jar包

Spring Boot 项目打包以及引入本地Jar包 [TOC] 上篇文章提到 Maven 项目添加本地jar包的三种方式 ,本篇文章记录下在实际项目中的应用。 spring boot 打包方式 我们知道,传统应用可以将程序...

Os_yxguang ⋅ 昨天 ⋅ 0


本文介绍数据结构中几种常见的树:二分查找树,2-3树,红黑树,B树 写在前面 本文所有图片均截图自coursera上普林斯顿的课程《Algorithms, Part I》中的Slides 相关命题的证明可参考《算法(第...

浮躁的码农 ⋅ 昨天 ⋅ 0

android -------- 混淆打包报错 (warning - InnerClass ...)

最近做Android混淆打包遇到一些问题,Android Sdutio 3.1 版本打包的 错误如下: Android studio warning - InnerClass annotations are missing corresponding EnclosingMember annotation......

切切歆语 ⋅ 昨天 ⋅ 0