The HTTP protocol came with a means of authentication that was so poorly thought out and so badly
implemented that it seems to have been almost entirely abandoned. When a server was asked for a page
to which access was restricted, it was supposed to return a response code:
HTTP/1.1 401 Authorization Required.
The authentication token was generated by doing base64 encoding on the colon-separated username and password:
>>> import base64
>>> print base64.b64encode("guido:vanOranje!")
Z3VpZG86dmFuT3JhbmplIQ==
This, of course, just protects any special characters in the username and password that might have been confused as part of the headers themselves; it does not protect the username and password at all, since they can very simply be decoded again:
>>> print base64.b64decode("Z3VpZG86dmFuT3JhbmplIQ==")
guido:vanOranje!
Anyway, once the encoded value was computed, it could be included in the second request like this: `Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==``
An incorrect password or unknown user would elicit additional 401 errors from the server, resulting
in the pop-up box appearing again and again. Finally, if the user got it right, she would either be shown
the resource or—if she in fact did not have permission—be shown a response code like the following:403 Forbidden.
Python supports this kind of authentication through a handler that, as your program uses it, can accumulate a list of passwords.
auth_handler = .HTTPBasicAuthHandler()
auth_handler.add_password(realm='voetbal', uri='http://www.onsoranje.nl/',
user='guido', passwd='vanOranje!')
The resulting handler can be passed into build_opener().