[allura:tickets] #8352 Convert ApacheAccessHandler.py from mod_python to mod_wsgi

Fri, 12 Feb 2021 15:41:51 -0800 

Hey Dave,
either I didn't understand your proposed approach, or it doesn't work.

WSGIAuthGroupScript has the same problem as WSGIAuthUserScript, it forces the 
user initially to login, because it relies on credentials. So when I configure 
one of those two methods, I am always initially prompted for a password.

And I guess this is what we want to avoid. :wink:

I played around with the other Apache configurations, as I am not that 
confident with it, yet. And one solution which worked with two URLs, but 
without an additional proxy, could be:

~~~
    <LocationMatch "^/restricted/wsgi/">
        AuthType Basic
        AuthBasicAuthoritative off
        Require valid-user
        AuthBasicProvider wsgi
        WSGIAuthUserScript /ownforge/scripts/WSGIAuthUserScript.py
        [...]
    </LocationMatch>
    <LocationMatch "^/wsgi/">
        AuthType Basic
        AuthBasicAuthoritative off
        Require all granted
        AuthBasicProvider wsgi
        ErrorDocument 403 
http://%{SERVER_NAME}:%{SERVER_PORT}/restricted/%{REQUEST_URI}
        WSGIAccessScript   /ownforge/scripts/WSGIAuthUserScript.py
        [...]
    </LocationMatch>
~~~

The trick behind:
Host based authorization works without a login, but you have access to the 
request URI to decide if an anonymous access is allowed.
If it isn't, you return "forbidden", but redirect this outside (through 
ErrorDocument) to another location, which is then enforcing a login.

What I didn't like, is the full URL in the config. But when using a local path 
(e.g.: /restricted/%{REQUEST_URI}), it didn't escape from the "LocationMatch", 
and therefore didn't work.

But beside this aspect, I find that the config and script structure is 
comprehendable.

Cheers,
Ingo


---

** [tickets:#8352] Convert ApacheAccessHandler.py from mod_python to mod_wsgi**

**Status:** open
**Milestone:** unreleased
**Labels:** py3 
**Created:** Wed Feb 26, 2020 07:54 PM UTC by Dave Brondsema
**Last Updated:** Mon Feb 08, 2021 08:45 PM UTC
**Owner:** nobody


mod_wsgi is how we run the main app, mod_python is very old school and we 
shouldn't be using it.

Recent versions of Ubunut look like they drop support for mod_python anyway 
rather than supporting it on python3: 
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-python/+bug/1735368  
Although mod_python does work with python 3, it'd just have to be built 
manually.


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed 
to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at 
https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is 
a mailing list, you can unsubscribe from the mailing list.

Reply via email to