Services and Authentication

In the previous chapter we have discussed the use of the following decorators:

  1. @auth.requires_login()
  2. @auth.requires_membership(...)
  3. @auth.requires_permission(...)

For normal actions (not decorated as services), these decorators can be used even if the output is rendered in a format other than HTML.

For functions defined as services and decorated using the @service... decorators, the @auth... decorators should not be used. The two types of decorators cannot be mixed. If authentication is to be performed, it is the call actions that needs to be decorated:

  1. @auth.requires_login()
  2. def call(): return service()

Notice that it also possible to instantiate multiple service objects, register the same different functions with them, and expose some of them with authentication and some not:

  1. public_service=Service()
  2. private_service=Service()
  4. @public_service.jsonrpc
  5. @private_service.jsonrpc
  6. def f():
  7.     return 'public'
  9. @private_service.jsonrpc
  10. def g():
  11.     return 'private'
  13. def public_call():
  14.     return public_service()
  16. @auth.requires_login()
  17. def private_call():
  18.     return private_service()

This assumes that the caller is passing credentials in the HTTP header (a valid session cookie or using basic authentication, as discussed in the previous chapter). The client must support it; not all clients do.

If using ServerProxy() described above, you can pass basic authentication credentials in the URL, like so:

  1. URL='http://user:password@127.0.0.1:8000/app/default/private_call/jsonrpc2'
  2. service = ServerProxy(URL, version='2.0')

where the function private_call in the controller is decorated for user authentication