Key parts to the architecture are the authentication and authorisation handlers triggered from the respective 401 and 403 HTTP response codes together with a URI based access control policy. I've used the Python security middleware package AuthKit to help me put this together. One thing I've been meaning to do is to lay this out in a simple example. This first snippet gives an overview:
app = AuthorisationPolicyMiddleware(myApp)
app = MultiHandler(app)
app.add_method("checkerID", AuthenticationHandlerMiddleware)
app.add_checker("checkerID", AuthenticationHandlerMiddleware.trigger)
app = MultiHandler(app)
app.add_method("checkerID", AuthorisationHandlerMiddleware)
app.add_checker("checkerID", AuthorisationHandlerMiddleware.trigger)
from paste.httpserver import serve
from paste.deploy import loadapp
serve(app, host='0.0.0.0', port=9080)
The application to be protected is defined in a WSGI elsewhere. This is wrapped in a number of pieces of middleware chained together to form a pipeline to intercept requests to the application. On the last line it is served using Paste.
The first middleware component listed,
AuthorisationPolicyMiddleware, checks the requested URI against a policy. If the user is not authorised, it sets a HTTP "403 Forbidden" response bypassing myApp.Following this, there are two pieces of middleware making use of AuthKit's
authkit.authenticate.multi.Multihandler. The MultiHandler accepts two key inputs: a checker function which determines the criteria for intercepting a request, and a method, a WSGI middleware to determine what action to take once an intercept has been made.In the first case, a class method
AuthenticationHandlerMiddleware.trigger has been defined to intercept HTTP "401 Unauthorized" status codes. The AuthenticationHandlerMiddleware itself determines the action taken:class AuthenticationHandlerMiddleware(object):"""Handler for HTTP 401 Unauthorized responses"""triggerStatus = "401 Unauthorized"def __init__(self, global_conf, **app_conf):pass
def __call__(self, environ, start_response):log.info("AuthenticationHandlerMiddleware access denied response ...")response = "HTTP 401 Unauthorised response intercepted"start_response('200 OK', [('Content-type', 'text/plain'),('Content-length', str(len(response)))])return [response]@classmethoddef trigger(cls, environ, status, headers):if status == cls.triggerStatus:
log.info("Authentication Trigger caught status [%s]",
cls.triggerStatus)
return Trueelse:
return False
In the above, the middleware simply outputs a message but it effectively provides a hook to trigger a login or other authentication interface.
A second Multihandler is in place to handle HTTP "403 Forbidden" responses. This follows a similar pattern:
class AuthorisationHandlerMiddleware(object):"""Handler for HTTP 403 Forbidden responses"""triggerStatus = "403 Forbidden"def __init__(self, global_conf, **app_conf):passdef __call__(self, environ, start_response):log.info("AuthorisationHandlerMiddleware access denied response ...")response = "HTTP 403 Forbidden response intercepted"start_response('200 OK', [('Content-type', 'text/plain'),
('Content-length', str(len(response)))])return [response]@classmethoddef trigger(cls, environ, status, headers):if status == cls.triggerStatus:
log.info("Authorisation Trigger caught status [%s]",
cls.triggerStatus)
return Trueelse:
return False
The
trigger method sets a True response to signal to the Multihandler to intercept the request and invoke AuthorizationMiddleware to deliver an access denied message.This next snippet shows
myApp effectively a test harness to demonstrate the middleware behaviour:def myApp(environ, start_response):"""Test application to be secured"""if environ['PATH_INFO'] == "/test_401":
status = "401 Unauthorized"
response = status
elif environ['PATH_INFO'] == "/test_403":
status = "403 Forbidden"
response = status
elif environ['PATH_INFO'] == "/secured":
status = "200 OK"
response = "Secured URI"
else:
status = "404 Not Found"
response = status
log.info("Application is setting [%s] response..." % status)
start_response(status,
[('Content-type', 'text/plain'),
('Content-length', str(len(response)))])
return [response]
As set-up above,
http://localhost:9080/test_401will trigger the authentication middleware andhttp://localhost:9080/test_403the authorisation middleware.- The last,
http://localhost:9080/test_secured, demonstrates the access control policy implemented inAuthorisationPolicyMiddleware:
class AuthorisationPolicyMiddleware(object):
"""Apply a security policy based on the URI requested"""
def __init__(self, app):
self.securedURIs = ['/test_secured']
self.app = app
def __call__(self, environ, start_response):
if environ['PATH_INFO'] in self.securedURIs:
log.info("Path [%s] is restricted by the Authorisation policy" %
environ['PATH_INFO'])
status = "403 Forbidden"
response = status
start_response(status, [('Content-type', 'text/plain'),
('Content-length', str(len(response)))])
return [response]
else:
return self.app(environ, start_response)
The middleware has a policy consisting of a list of URIs to be secured in the
securedURIs attribute. In practice this could link to a policy file, database link or some other interface. The __call__ method intercepts request URIs which match the policy and invokes a HTTP 403 response. This in turn brings into play the AuthorisationMiddleware handler triggering it to return an access denied response.The complete example is in the NERC DataGrid SubVersion repository.
No comments:
Post a Comment