Simple security between prototype iPhone app and SimpleHTTPServer REST service?

dieter dieter at handshake.de
Wed Sep 18 02:49:44 EDT 2013


Travis Griggs <travisgriggs at gmail.com> writes:

> ...
> I found a example of how to add SSL to my python service (https://gist.github.com/ubershmekel/6194556). If I can figure out how to get the right keys embedded into my iPhone app (it's just on my phone, not anyone else's), is that enough? Or should I include some sort of auth? If so, what kind? And any pointers to how to start that would be much appreciated.

This is less a Python question. What kind of authentication you
need heavily depends on which data your HTTP server publishes.
You need no authentication at all, if anyone can see this data.

There are many standards related to HTTP authentication.
Using a standard has the advantage that common components
(e.g. the browser) may have support for it.
HTTP itself defines two authentication standards - both based
an a simple "login/password" scheme: "basic" (very simple, but
prone to replay and monitoring attacks) and "digest" (more
secure but rarely used).

There is also HTTPS (that is HTTP over SSL). This is HTTP over an
encrypted communication channel. As the data transmitted
is encrypted, monitoring and replay attacks get far more difficult.
Used this way, HTTP basic authentication gets much more secure.

HTTPS is typically also used for server identification (typical
browsers warn you, if it does not trust the (HTTPS) server certificate
or the host name inside the certificate does not correspond to the
host you try to contact).
However, HTTPS can also be used with client certificates; this
usage may be an alternative to HTTP authentication.

There are a lot of further standards related to authentication:
e.g. "OpenId", "SAML2", "OpenAuth", ...


> Some have blithely replied that I should be using Flask or Tornado. I get that I'm going to hit a wall with HTTPServer and that it's more of a "toy" implementation.

This may be the part of your question which relates to Python; more
precisely to "HTTPServer". I do not have an authoritative answer for
you. I suppose (!; I am not sure) that "HTTPServer" will somehow
support basic authentication and maybe HTTPS, however, it
may not support it alone.

For "basic" authentication, you need some kind of user "database"
which records the known users with their passwords and maybe
the services those users may use.
By itself "HTTPS" does not provide (client) authentication;
for client authentication, you need again some kind of
user "database" to determine which clients (identified by the
client certificate) you want to grant any and which services.

This user "database" may be quite simple (maybe, it contains just "you") -
but Python's "HTTPServer" cannot know - and does not provide
this piece of infrastructure. You must extend Python's
"HTTPServer" to provide it.

Authentication support is a fundamental task for web frameworks.
Therefore, they contain infrastructure to facilitate this task.
This include "modules" for the implementation of the "user database"
mentioned above.


My personal recommendation: if this is the only web application
you plan to implement, you may stick with "HTTPServer".
However, if you can imagine that in the future you
will implement further web applications, then look for a
web framework. True, you will have to learn quite a bit -
but you get components that facilitate typical tasks related
to web applications (e.g. authentication).
This initial learning effort may amortise when you plan
to implement more web applications in the future.




More information about the Python-list mailing list