A while back we migrated our app over to mod_wsgi from mod_python. We had been using PythonAuthenHandler with mod_python previously for a custom authentication handler. I posted to the group at the time, and got some helpful feedback about using WSGIAuthUserScript or WSGIAccessScript to accomplish what we needed to do.
In the end, I had to make use of WSGIAuthUserScript because the client SSL certificate was not available via mod_ssl.var_lookup when using WSGIAccessScript. It seems mod_ssl does not make that data available until after the WSGIAccessScript has run. We need access to the client certificate to do our custom authentication, so I had to use WSGIAuthUserScript instead. The main issue for us with using WSGIAuthUserScript was that our requests weren't actually using HTTP basic auth, so then the WSGIAuthUserScript did not get run. I worked around this by setting the Authorization header on every request using mod_headers and the RequestHeader config. This seemed to work, I got the script to run this way and was able to do the authentication. That has turned into a separate issue though, because some other requests to the web server actually do use basic auth. In this case, the Authorization header ends up getting munged by apache, the 2 values (one actually provided, and one set via RequestHeader) are concatenated on a single header line separated by a comma. Most web apps/frameworks don't handle this at all. We end up breaking any other web app depending on basic auth that is installed along side our mod_wsgi app under apache (such as a Rails app for instance). The RequestHeader config has to be at the server level for apache config, because I had to use the "early" keyword to get the header to be applied early enough in the request lifecycle so that the WSGIAuthUserScript would get run. My question is, is there a cleaner or easier way to do what I'm trying to do using just mod_wsgi? I just need to set a python script to run for a <Directory> stanza in my apache config to either allow or deny access (with the client certificate available if one was supplied) on every request that is handled by that <Directory>. Is this functionality something that could easily be added to mod_wsgi, perhaps through a different apache access hook? I wouldn't mind helping with that effort if I could get a few pointers. Thanks. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
