On 29. Aug, 2013, at 17:45, Olemis Lang wrote:
> On 8/29/13, Matevž Bradač <[email protected]> wrote:
>> On 29. Aug, 2013, at 3:54, Olemis Lang wrote:
> [...]
>>>
>>> (My) conclusions are that in spite of making auth compatible with BH
>>> default install tracd must be modified in such a way that /login path
>>> will be excluded of HTTP digest auth zone , as opposite to everything
>>> else under that path e.g. /login/rpc
>>>
>>> The question is how to achieve this ? By introducing a new parameter
>>> in tracd ? By supplying a regular expression ? Any other suggestions ?
>>> Does this deserve to be backported to Trac (afaict, this will be an
>>> issue for similar Trac deployments too) ?
>>
>> Would it help to use the HttpAuthPlugin[1] for this?
>
> For running the test suite ? It seems to me it's too much to add
> another dependency + config just for this ; and this also implies that
> users trying to deploy RPC plugin behind tracd will also have to
> install that plugin .
>
> By adding an option in tracd to apply auth for /login/.* and ignore
> /login is easy and straightforward .
Sorry for being unclear - I didn't mean just for running the test suite.
You mentioned that by starting tracd with --auth this would also affect all
deployments using RPC ("either trachacks:AccountManager will be useless or
it will be impossible to perform authenticated RPC requests").
I assumed that using HttpAuthPlugin would have possibly resolved both problems.
>
>> At least this seems to
>> be
>> the recommended procedure[2] when using the XmlRpcPlugin with
>> AccountManager.
>
> ... not anymore ... [1]_ [2]_
Thanks for the info, I missed that one.
>
>> If that's not a viable option, how about injecting our own (new) middleware
>> on
>> top of AccountManager in order to intercept and pre-process /login
>> requests?
>>
>
> I guess this implies removing --auth and let an AccountManagerPlugin
> extension handle HTTP auth ? Is this what you mean or maybe I did not
> understand your suggestion ?
That's what I meant, but as you point out there are better alternatives.
>
> So I guess I've gathered the following alternatives so far :
>
> 1. add an option to tracd to supply a regex for auth match
> 2. similar to (1) but without a regex , just exclude /login
> 3. similar to (2) but without exposing the option as a tracd arg
> * which reminds me the previous patch suggested for
> BH installer script
> 4. install HttpAuthPlugin , configure it prior to the test run, ...
> 5. write an AccountManagerPlugin extension to enforce HTTP
> digest auth on /login/.*
> 6. same as (5) but also supporting configurable regex
>
> What would you recommend ? I think I'd choose (1) , (2) or (3) because
> all others require yet another dependency in Bloodhound RPC plugin
> just to run the test suite . Needless to mention that RPC behind tracd
> will not be possible ootb, but that's another subject.
I think I'd vote for (1) or (3), the (2) seems too limiting for general use.
Having a configurable regex or list of "exclude" paths makes more sense,
especially if it's backported to trac (which IMO would be a good idea).
--
matevz
>
> [...]
>
> .. [1]
> http://trac-hacks.org/wiki/XmlRpcPlugin#ProblemswhenAccountManagerPluginisenabled
>
> .. [2] http://trac-hacks.org/ticket/3598#comment:2
>
>
> --
> Regards,
>
> Olemis - @olemislc
