twisted cred with http digest authentication

2018-05-30 06:45:57

I'm trying to implement twisted cred with HTTP Digest Authentication, and I'm having some difficulty. I was able to get it to work with checkPassword, but I don't want to store my passwords in the clear in the database, obviously.

I'm storing the MD5 of username:realm:password in my password database, and I'm calculating it using:

from twisted.cred._digest import calcHA1

def calc_ha1(self, password, username=None):
    if username is None:
        username = self.avatarId

    realm = self.digest_factory.digest.authenticationRealm
    return calcHA1('md5', username, realm, password, None, None)

My password checker looks like this:

def requestAvatarId(self, credentials):
    username = credentials.username
    try:
        user = self.session.query(models.User).filter_by(username=username).one()
    except NoResultFound as e:
        return defer.fail(credError.UnauthorizedLogin("No such administrator"))

    if credentials.checkHash(user.password_hash):
        return defer.succeed(username)
    else:
        return defer.fail(credError.UnauthorizedLogin("Bad password"))

However, when checkHash computes HA2 and combines it with the HA1 that I have in the DB, it does not match what the browser is sending. I stepped through the checkHash code with a debugger and everything is operating as I would expect. Does anyone have ideas?

Thanks -s

链接地址: http://www.djcxy.com/p/3764.html

上一篇: 什么是发布请求的大小限制？

下一篇: 用http摘要认证扭曲信用