Improvements associated with the req.ap_auth_type attribute.
------------------------------------------------------------
Key: MODPYTHON-124
URL: http://issues.apache.org/jira/browse/MODPYTHON-124
Project: mod_python
Type: Improvement
Components: core
Versions: 3.3
Reporter: Graham Dumpleton
The "req.ap_auth_type" attribute is set to the authentication type
corresponding to the type of authentication processing successfully carried out
in respect of a request. For example, if one has Apache configuration:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
it is expected that the request uses basic authentication header as
appropriate. These headers will be dealt with by inbuilt Apache core module.
Upon successful authentication, the Apache core module will set
"req.ap_auth_type" attribute to be "Basic" and set "req.user" to the user ID of
the logged in user.
If instead Apache support for digest authentication was used, eg:
AuthType Digest
...
then "req.ap_auth_type" attribute will be set to "Digest".
If authentication was not requested, ie., no AuthType directive, the
"req.ap_auth_type" is set to Python None.
The intent is that you should be able to implement authentication handlers in
mod_python using PythonAuthenHandler, but you can't actually do this correctly
at the moment as there are a few things missing.
Firstly, in order to trigger the PythonAuthenHandler, you must still define the
AuthType/AuthName/Require directives. In order to ensure that our
authentication handler is triggered and not the builtin ones or some other one,
the AuthType directive should specify a string other than "Basic" or "Digest".
This would be a name we choose and can basically be anything. For example, you
might choose a descriptive name like "Python-Basic-DBM" to denote basic
authentication is used against a DBM database but using the Python
authentication handler.
AuthType Python-Basic-DBM
AuthName "Web Application"
Require valid-user
PythonAuthenHandler basicdbmauth
PythonOption basicdbmauth.UserDatabase /.../users.dbm
When the authentication handler in "basicdbmauth" is called, the
"req.ap_auth_type" field is still None. This is because authentication hasn't
succeed yet.
In terms of being able to implement the authentication handler correctly, the
first problem is that there is no way to access the actual value associated
with the AuthType directive. This needs to be consulted to determine if the
authentication handler should actually do anything. Second is that the value
associated with the AuthName directive can't be determined either, something
which may influence against which database authentication should be done.
Thus first lot of changes that need to be made are that "req" object needs to
have two new methods called "get_auth_type()" and "get_auth_name()". These will
map to the Apache API functions called "ap_auth_type()" and "ap_auth_name()".
Note that "ap_auth_type()" is returning a different value to "req.ap_auth_type".
With those two functions, authentication handler can then be written as:
def authenhandler(req):
if req.get_auth_type() != "Python-Basic-DBM":
return apache.DECLINED
realm = req.get_auth_name()
# Do all the processing of Authorization header and
# validate user etc. If not okay, return appropriate error
# status. If okay, keep going.
req.user = ... from header
req.ap_auth_type = "Python-Basic-DBM"
return apache.OK
As well as returning apache.OK, convention is to set "req.user" and
"req.ap_auth_type".
This is where the final problem occurs. That is that "req.ap_auth_type" is read
only and cannot actually be set as necessary.
Thus in addition to "req.get_auth_type()", "req.get_auth_name()", need to make
"req.ap_auth_type" writable.
Having made these changes it would then actually be possible to write
authentication handlers correctly, ie., whereby they correctly look at AuthType
etc to see whether they should be applied.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
