Changes between Version 7 and Version 8 of DevelopmentServer

Timestamp:

Aug 29, 2008, 3:28:36 PM (16 years ago)

Author:

cmlenz

Comment:

Add section on auth

DevelopmentServer

@@ -87 +87 @@
 Applications can add their own files to the list of watched files using the `watch_file()` function.
 
+== Authentication ==
+
+The development server can inject a WSGI middle component that performs HTTP authentication (either Basic or Digest) against a specified password file. This is intended primarily for developing and testing authorization-sensitive parts of your application. In particular, this middleware is not intended to be used on production systems where security is critical.
+
+The `--digest` option is used to specify the text file containing the credentials for digest authentication, in a format compatible with the [http://httpd.apache.org/docs/2.2/programs/htdigest.html Apache htdigest tool]. The ``--basic`` option allows you to use an unencrypted password file for even simpler setup. The `--realm` option can be used to specify a different realm, where the default is the name of the `Application` class. This realm needs to match the realm used in the digest file.
+
+The format of the password file for Basic authentication is simple: one line per account, containing the username and the password (in the clear) separated by a colon. Note that this format is '''not compatible''' with the format generated by the [http://httpd.apache.org/docs/2.2/programs/htpasswd.html htpasswd] tool, which encrypts the passwords.
+
+Finally, the `--protect` option can be used to require authentication only on the specified sub-resources. When the `--protect` option is not provided, the whole URI space will require authentication. When it is specified, authentication is only required on the specified paths. To protect more than one path, simply specifiy the option as often as you need.
+
+For example:
+
+{{{
+$ ./myapp.py -rv --digest auth.digest --protect /login
+}}}
+
+
 == API Documentation ==