[ http://issues.apache.org/jira/browse/MODPYTHON-169?page=comments#action_12423609 ] Graham Dumpleton commented on MODPYTHON-169: --------------------------------------------
At the same time as looking into how to allow mod_python to act as an auth provider, should also look into how mod_python can be allowed to use an auth provider. For example req.check_password() and req.get_realm_hash() methods which call through to whatever the auth provider is defined as for mod_python's use. This would probably need a new directive called AuthPythonProvider which would be used as: AuthPythonProvider dbm AuthDBMType SDBM AuthDBMUserFile /www/etc/dbmpasswd In other words, the Apache directive external to Python code specifies to what auth provider the request methods get redirected. > Add feature to allow mod_python to be an auth provider. > ------------------------------------------------------- > > Key: MODPYTHON-169 > URL: http://issues.apache.org/jira/browse/MODPYTHON-169 > Project: mod_python > Issue Type: New Feature > Components: core > Reporter: Graham Dumpleton > Assigned To: Graham Dumpleton > > In Apache 2.2, the implementation of authentication has been split into two > parts. The first is that which handles the specifics of negotiating with a > client for a specific authentication mechanism type, for example, Basic or > Digest authentication. The second part is that which handles the specifics of > verifying the actual users credentials, for example, by looking the user up > in a dbm database, ldap or some other type of user database. > The second part of this is referred to as the auth provider and in Apache 2.2 > it is possible to hook in additional providers. This means that the any > builtin support in Apache for Basic and Digest authentication mechanism can > be used, but the verification could be done by some arbitrary user code. Such > verification could be done in Python, if mod_python allowed one to define the > necessary auth provider hooks. > To this end, proposed that mod_python be extended such that when using Apache > 2.2, that it is possible to say: > AuthType Basic > AuthName "Restricted Files" > AuthBasicProvider mod_python > PythonAuthBasicProvider somemodule > or: > AuthType Digest > AuthName "Restricted Files" > AuthDigestProvider mod_python > PythonAuthDigestProvider somemodule > That is, by specifying mod_python in conjunction with AuthBasicProvider or > AuthDigestProvider directives, it triggers mod_python to be given option of > satisfying need to perform verification of user credentials. The function to > be called for each being given by the PythonAuthBasicProvider and > PythonAuthDigestProvider respectively. > The argument to these directives would be a module name, in which case a > function of the name "authbasicprovider" or "authdigestprovider" will be > expected to exist. If wanting to specify a particular module, like in handler > directives, would also be possible to say: > PythonAuthBasicProvider somemodule::check_password > PythonAuthDigestProvider somemodule::get_realm_hash > Note that the prototype of the function for each would not be like existing > handlers and is different in each case. For the Basic auth mechanism, an > example function would be: > users = { ... } > def authbasicprovider(req, user, password): > # could consult req.auth_name() to get realm > if user not in users: > return apache.AUTH_USER_NOT_FOUND > # assuming passwords are stored in clear text > if users[user] != password: > return apache.AUTH_DENIED > return apache.AUTH_GRANTED > Exceptions would be translated into apache.AUTH_GENERAL_ERROR, or function > could explicitly return it. Could also allow explicit exception of type > apache.SERVER_RETURN like in handlers but where argument is auth values. > For Digest authentication, function would be: > def authdigestprovider(req, user, realm): > # could select database based on 'realm' > if user not in users: > return None > # assuming passwords are stored in clear text > return md5.new("%s:%s:%s" % (user, realm, users[user])).hexdigest() > In this later function, return None indicates apache.AUTH_USER_NOT_FOUND. An > apache.SERVER_RETURN exception could also be used with that value as > argument. Returning of an actual string would imply apache.AUTH_USER_FOUND. > Unexpected exceptions taken as apache.AUTH_GENERAL_ERROR, or could be raised > explicitly using apache.SERVER_RETURN exception. > What all this would mean is that you would never need to write an > authenhandler again using mod_python, as you could rely on any type of > authenhandler builtin to Apache or as as supported by some third party Apache > module. All you would need to do is supply the auth provider or Basic or > Digest authentication as necessary to support verification of the user. > -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
