Erle Robotics Python Networking Gitbook Free

HTTP Authentication

The HTTP protocol came with a means of authentication that was so poorly thought out and so badly implemented that it seems to have been almost entirely abandoned. When a server was asked for a page to which access was restricted, it was supposed to return a response code: HTTP/1.1 401 Authorization Required.

The authentication token was generated by doing base64 encoding on the colon-separated username and password:

>>> import base64
>>> print base64.b64encode("guido:vanOranje!")

This, of course, just protects any special characters in the username and password that might have been confused as part of the headers themselves; it does not protect the username and password at all, since they can very simply be decoded again:

>>> print base64.b64decode("Z3VpZG86dmFuT3JhbmplIQ==")

Anyway, once the encoded value was computed, it could be included in the second request like this: `Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==``

An incorrect password or unknown user would elicit additional 401 errors from the server, resulting in the pop-up box appearing again and again. Finally, if the user got it right, she would either be shown the resource or—if she in fact did not have permission—be shown a response code like the following:403 Forbidden.

Python supports this kind of authentication through a handler that, as your program uses it, can accumulate a list of passwords.

auth_handler = .HTTPBasicAuthHandler()
auth_handler.add_password(realm='voetbal', uri='',
            user='guido', passwd='vanOranje!')

The resulting handler can be passed into build_opener().