# HG changeset patch # User Sylvain Thénault # Date 1490693208 -7200 # Node ID 1a5fc93c81db49f5322cf022bbeb5364941406da # Parent 5c473684f056a7dd534a3c5950c46b0dc4130f1c [doc] Move content of former README.pyramid into relevant modules diff -r 5c473684f056 -r 1a5fc93c81db cubicweb/pyramid/auth.py --- a/cubicweb/pyramid/auth.py Fri Mar 24 16:57:05 2017 +0100 +++ b/cubicweb/pyramid/auth.py Tue Mar 28 11:26:48 2017 +0200 @@ -17,8 +17,74 @@ # # You should have received a copy of the GNU Lesser General Public License along # with CubicWeb. If not, see . +""" +CubicWeb AuthTkt authentication policy +-------------------------------------- -"""Authentication policies for cubicweb.pyramid.""" +When using the `cubicweb.pyramid.auth` module, which is the default in most +cases, you may have to configure the behaviour of these authentication +policies using standard's Pyramid configuration. You may want to configure in +your pyramid configuration file: + +:Session Authentication: + + This is a `AuthTktAuthenticationPolicy`_ so you may overwrite default + configuration values by adding configuration entries using the prefix + ``cubicweb.auth.authtkt.session``. Default values are: + + :: + + cubicweb.auth.authtkt.session.hashalg = sha512 + cubicweb.auth.authtkt.session.cookie_name = auth_tkt + cubicweb.auth.authtkt.session.timeout = 1200 + cubicweb.auth.authtkt.session.reissue_time = 120 + cubicweb.auth.authtkt.session.http_only = True + cubicweb.auth.authtkt.session.secure = True + + +:Persistent Authentication: + + This is also a `AuthTktAuthenticationPolicy`_. It is used when persistent + sessions are activated (typically when using the cubicweb-rememberme_ + cube). You may overwrite default configuration values by adding + configuration entries using the prefix + ``cubicweb.auth.authtkt.persistent``. Default values are: + + :: + + cubicweb.auth.authtkt.persistent.hashalg = sha512 + cubicweb.auth.authtkt.persistent.cookie_name = pauth_tkt + cubicweb.auth.authtkt.persistent.max_age = 3600*24*30 + cubicweb.auth.authtkt.persistent.reissue_time = 3600*24 + cubicweb.auth.authtkt.persistent.http_only = True + cubicweb.auth.authtkt.persistent.secure = True + + +.. Warning:: Legacy timeout values from the instance's + ``all-in-one.conf`` are **not** used at all (`` + http-session-time`` and ``cleanup-session-time``) + +.. _CubicWeb: https://www.cubicweb.org/ +.. _`cubicweb-rememberme`: \ + https://www.cubicweb.org/project/cubicweb-rememberme +.. _AuthTktAuthenticationPolicy: \ + http://docs.pylonsproject.org/projects/pyramid/en/latest/api/authentication.html#pyramid.authentication.AuthTktAuthenticationPolicy + + +Secrets +~~~~~~~ +There are a number of secrets to configure in ``pyramid.ini``. They +should be different one from each other, as explained in `Pyramid's +documentation`_. + +For the record, regarding authentication: + +:cubicweb.auth.authtkt.session.secret: This secret is used to encrypt + the authentication cookie. + +:cubicweb.auth.authtkt.persistent.secret: This secret is used to + encrypt the persistent authentication cookie. +""" import datetime import logging diff -r 5c473684f056 -r 1a5fc93c81db cubicweb/pyramid/session.py --- a/cubicweb/pyramid/session.py Fri Mar 24 16:57:05 2017 +0100 +++ b/cubicweb/pyramid/session.py Tue Mar 28 11:26:48 2017 +0200 @@ -17,8 +17,72 @@ # # You should have received a copy of the GNU Lesser General Public License along # with CubicWeb. If not, see . +""" +Web session when using pyramid +------------------------------ -"""Pyramid session factories for CubicWeb.""" +CubicWeb ``CWSession`` entity type so that sessions can be +stored in the database, which allows to run a Cubicweb instance +without having to set up a session storage (like redis or memcache) +solution. + +However, for production systems, it is greatly advised to use such a +storage solution for the sessions. + +The handling of the sessions is made by pyramid (see the +`pyramid's documentation on sessions`_ for more details). + +For example, to set up a redis based session storage, you need the +`pyramid-redis-session`_ package, then you must configure pyramid to +use this backend, by configuring the pyramid configuration file: + + +.. code-block:: ini + + [main] + cubicweb.defaults = no # we do not want to load the default cw session handling + + cubicweb.auth.authtkt.session.secret = + cubicweb.auth.authtkt.persistent.secret = + cubicweb.auth.authtkt.session.secure = yes + cubicweb.auth.authtkt.persistent.secure = yes + + redis.sessions.secret = + redis.sessions.prefix = : + + redis.sessions.url = redis://localhost:6379/0 + + pyramid.includes = + pyramid_redis_sessions + cubicweb.pyramid.auth + cubicweb.pyramid.login + + +.. Warning:: If you want to be able to log in a CubicWeb application + served by pyramid on a unsecured stream (typically when + you start an instance in dev mode using a simple + ``cubicweb-ctl pyramid -D -linfo myinstance``), you + **must** set ``cubicweb.auth.authtkt.session.secure`` to + ``no``. + +Secrets +~~~~~~~ + +There are a number of secrets to configure in ``pyramid.ini``. They +should be different one from each other, as explained in `Pyramid's +documentation`_. + +For the record, regarding session handling: + +:cubicweb.session.secret: This secret is used to encrypt the session's + data ID (data themselved are stored in the backend, database or + redis) when using the integrated (``CWSession`` based) session data + storage. + +:redis.session.secret: This secret is used to encrypt the session's + data ID (data themselved are stored in the backend, database or + redis) when using redis as backend. +""" import warnings import logging