使用Perspective Broker进行扭曲身份验证
passwords = {
'admin': 'aaa',
'user1': 'bbb',
'user2': 'ccc'
}
p.registerChecker(PasswordDictChecker(passwords))
class PasswordDictChecker(object):
implements(checkers.ICredentialsChecker)
credentialInterfaces = (credentials.IUsernamePassword,)
def __init__(self, passwords):
"passwords: a dict-like object mapping usernames to passwords"
self.passwords = passwords
def requestAvatarId(self, credentials):
username = credentials.username
if self.passwords.has_key(username):
if credentials.password == self.passwords[username]:
return defer.succeed(username)
else:
return defer.fail(
credError.UnauthorizedLogin("Bad password"))
else:
return defer.fail(
credError.UnauthorizedLogin("No such user"))
我这周一直在研究Twisted,读了书和大部分文档,但有些地方还是搞不懂。从Twisted的文档来看:
http://twistedmatrix.com/documents/10.1.0/core/howto/pb-cred.html这是服务器的部分:
#!/usr/bin/env python
# Copyright (c) 2009 Twisted Matrix Laboratories.
# See LICENSE for details.
from zope.interface import implements
from twisted.spread import pb
from twisted.cred import checkers, portal
from twisted.internet import reactor
class MyPerspective(pb.Avatar):
def __init__(self, name):
self.name = name
def perspective_foo(self, arg):
print "I am", self.name, "perspective_foo(",arg,") called on", self
class MyRealm:
implements(portal.IRealm)
def requestAvatar(self, avatarId, mind, *interfaces):
if pb.IPerspective not in interfaces:
raise NotImplementedError
return pb.IPerspective, MyPerspective(avatarId), lambda:None
p = portal.Portal(MyRealm())
c = checkers.InMemoryUsernamePasswordDatabaseDontUse(user1="pass1",
user2="pass2")
p.registerChecker(c)
reactor.listenTCP(8800, pb.PBServerFactory(p))
reactor.run()
这是客户端的部分:
#!/usr/bin/env python
# Copyright (c) 2009 Twisted Matrix Laboratories.
# See LICENSE for details.
from twisted.spread import pb
from twisted.internet import reactor
from twisted.cred import credentials
def main():
factory = pb.PBClientFactory()
reactor.connectTCP("localhost", 8800, factory)
def1 = factory.login(credentials.UsernamePassword("user1", "pass1"))
def1.addCallback(connected)
reactor.run()
def connected(perspective):
print "got perspective1 ref:", perspective
print "asking it to foo(13)"
perspective.callRemote("foo", 13)
main()
如果用户输入了错误的密码:
Unhandled Error
Traceback (most recent call last):
Failure: twisted.cred.error.UnauthorizedLogin:
我想要的不是抛出一个异常,而是告诉用户他输入的密码不正确,或者用户名错误。
我尝试去修改:
c = checkers.InMemoryUsernamePasswordDatabaseDontUse(user1="pass1",user2="pass2")
p.registerChecker(c)
但是遇到了错误,我觉得这样做不对。
顺便说一下,我知道如何在不使用Perspective Broker的情况下进行身份验证...
1 个回答
0
如果你想实现重试功能,最好在客户端完成。你不应该修改服务器,让它返回像“密码错误”或“没有这个用户”这样的信息,因为这些会给攻击者提供有用的信息。
要让客户端进行重试,可以在登录的延迟操作中添加一个错误处理函数,这个函数会提示用户输入新密码(也可能是新用户名),然后再调用登录操作。