2008/9/20 Carl Nobile <[EMAIL PROTECTED]>: > Herein lies my problem with Apache's authentication. Lets say I have a URI: > > /users > > This URI can have some subset of the six HTTP methods applied to it, for > example: > > PUT will add a new user and does not require any authentication. > GET will return a list of all users, but is only authorized by an admin > user. > HEAD will return the same headers as GET but no data also needing an > authorized admin user. > POST is not allowed at all and causes a 405 response. > DELETE is also not allowed and causes a 405 response. > OPTION will return a list of possible methods that can be used depending on > the authorization level of the user. > > So here's the problem, how do I tell the check_password() or > get_realm_hash() methods which HTTP methods to authenticate and which not to > authenticate? The auth.wsgi script is completely decoupled from the rest of > the application so it can not be influenced by that application. Or am I > missing some obvious point here?
See if <Limit> directive within Location context (as appropriate), can be used. <Location /some/url> <Limit GET> Require group admin </Limit> <Limit POST> Deny from all </Limit> .... </Location> May not allow exact codes you want. Would try some things myself, but have guests coming for lunch soon. :-) Graham > -Carl > > On Fri, Sep 19, 2008 at 10:32 PM, Graham Dumpleton > <[EMAIL PROTECTED]> wrote: >> >> 2008/9/20 Graham Dumpleton <[EMAIL PROTECTED]>: >> > 2008/9/20 Carl Nobile <[EMAIL PROTECTED]>: >> >> Alex, >> >> >> >> Basic auth is sent with each end every request that needs >> >> authentication. >> >> You just add the proper headers in your request and it should all work. >> >> Now, >> >> something else to think about is that your browser will intercept the >> >> first >> >> auth request and pop up a window asking for username and >> >> password(cookie >> >> data), but you will have to write some JavaScript to do this for the >> >> user, >> >> since the user won't know what the cookie value is to be used for the >> >> password. If you do this for every request that needs authentication >> >> the >> >> process will all look seamless to the user. >> >> >> >> In other words you will have to intercept the browsers intercept. I've >> >> never >> >> done this myself, because most of what I do is for the programmable web >> >> (web >> >> services) that never sees a browser, but it shouldn't be all that >> >> difficult >> >> to do. >> > >> > See: >> > >> > http://www.peej.co.uk/articles/http-auth-with-html-forms.html >> > >> > I'm not sure about this whole idea of sticking some sort of cookie >> > value in place of information in Basic authentication. >> > >> > There is an Apache module around somewhere that provides for handling >> > session based login across applications in different languages with >> > user authentication being in language of choice. I remember Paste or >> > Authkit or something having some support for it. I cant remember the >> > name of the module right now or find it, but if do will send on >> > details. >> >> This one: >> >> http://www.openfusion.com.au/labs/mod_auth_tkt/ >> >> Graham >> >> > > > > -- > ------------------------------------------------------------------------------- > Carl J. Nobile (Software Engineer) > [EMAIL PROTECTED] > ------------------------------------------------------------------------------- > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~----------~----~----~----~------~----~------~--~---