2008/9/20 Carl Nobile <[EMAIL PROTECTED]>:
> Herein lies my problem with Apache's authentication. Lets say I have a URI:
>
> /users
>
> This URI can have some subset of the six HTTP methods applied to it, for
> example:
>
> PUT will add a new user and does not require any authentication.
> GET will return a list of all users, but is only authorized by an admin
> user.
> HEAD will return the same headers as GET but no data also needing an
> authorized admin user.
> POST is not allowed at all and causes a 405 response.
> DELETE is also not allowed and causes a 405 response.
> OPTION will return a list of possible methods that can be used depending on
> the authorization level of the user.
>
> So here's the problem, how do I tell the check_password() or
> get_realm_hash() methods which HTTP methods to authenticate and which not to
> authenticate? The auth.wsgi script is completely decoupled from the rest of
> the application so it can not be influenced by that application. Or am I
> missing some obvious point here?

See if <Limit> directive within Location context (as appropriate), can be used.

  <Location /some/url>
    <Limit GET>
    Require group admin
    </Limit>

    <Limit POST>
    Deny from all
    </Limit>

    ....
  </Location>

May not allow exact codes you want.

Would try some things myself, but have guests coming for lunch soon. :-)

Graham

> -Carl
>
> On Fri, Sep 19, 2008 at 10:32 PM, Graham Dumpleton
> <[EMAIL PROTECTED]> wrote:
>>
>> 2008/9/20 Graham Dumpleton <[EMAIL PROTECTED]>:
>> > 2008/9/20 Carl Nobile <[EMAIL PROTECTED]>:
>> >> Alex,
>> >>
>> >> Basic auth is sent with each end every request that needs
>> >> authentication.
>> >> You just add the proper headers in your request and it should all work.
>> >> Now,
>> >> something else to think about is that your browser will intercept the
>> >> first
>> >> auth request and pop up a window asking for username and
>> >> password(cookie
>> >> data), but you will have to write some JavaScript to do this for the
>> >> user,
>> >> since the user won't know what the cookie value is to be used for the
>> >> password. If you do this for every request that needs authentication
>> >> the
>> >> process will all look seamless to the user.
>> >>
>> >> In other words you will have to intercept the browsers intercept. I've
>> >> never
>> >> done this myself, because most of what I do is for the programmable web
>> >> (web
>> >> services) that never sees a browser, but it shouldn't be all that
>> >> difficult
>> >> to do.
>> >
>> > See:
>> >
>> >  http://www.peej.co.uk/articles/http-auth-with-html-forms.html
>> >
>> > I'm not sure about this whole idea of sticking some sort of cookie
>> > value in place of information in Basic authentication.
>> >
>> > There is an Apache module around somewhere that provides for handling
>> > session based login across applications in different languages with
>> > user authentication being in language of choice. I remember Paste or
>> > Authkit or something having some support for it. I cant remember the
>> > name of the module right now or find it, but if do will send on
>> > details.
>>
>> This one:
>>
>>  http://www.openfusion.com.au/labs/mod_auth_tkt/
>>
>> Graham
>>
>>
>
>
>
> --
> -------------------------------------------------------------------------------
> Carl J. Nobile (Software Engineer)
> [EMAIL PROTECTED]
> -------------------------------------------------------------------------------
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"modwsgi" group.
To post to this group, send email to modwsgi@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/modwsgi?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to