On 04/06/2014, at 11:35 PM, Graham Dumpleton <[email protected]> wrote:
> > On 04/06/2014, at 11:24 PM, [email protected] wrote: > >> Hello, >> >> I'm about to migrate an old mod_python PythonAuthenHandler to an >> WSGIAuthUserScript >> >> In PythonAuthenHandler I could do something like this to mappe the name of >> the authenticated user: >> >> def authenhandler(req): >> .... >> req.user="newname" >> >> Now with WSGIAuthUserScript a change of the user variable does not seem to >> end up in the REMOTE_USER environment variable >> of the script generating the actual web-page. >> >> Any Idea on how to do this? > > Right now there isn't a simple way to pass back an alternate name to use for > the user. > > The issue has been discussed before a long time ago but I can't remember the > outcome. > > Looking at the code just then I can see three possibilities, but it is late > here and I need to sleep first before I look at it properly. So here are the things that could be done. 1. I once wrote SWIG bindings for Apache which in conjunction with the WSGIPassApacheRequest directive can be used to update the req->user attribute. Probably not a good option at this point as the bindings haven't updated for a very long time due to lack of interest. 2. Write a C extension module for Python which in conjunction with the WSGIPassApacheRequest directive can be used to update the req->user attribute. I likely even wrote one at one point, although now idea where it may be now. Could possibly be lost in my email or in mod_wsgi mailing list archive. 3. I simply modify the check_password() callback wrapper to allow an alternate user to be provided in some way. A nice way to do this was what prior discussions covered. Right now the check_password() callback can return the following values, which map to Apache results as shown. None - AUTH_USER_NOT_FOUND True - AUTH_GRANTED False - AUTH_DENIED There have only ever been two use cases come up for being able to return anything else. The first is the ability to change the HTTP status code use when someone is denied. People have wanted to make it be 403 Forbidden. Unfortunately that simply isn't possible because the Apache auth provider mechanism doesn't allow changing the HTTP status response. It will always return 401 Unauthorized to give option of providing credentials again. This is the correct behaviour as 403 only belongs in a authorisation scheme, not an authentication scheme. The second is the ability to return a value to be used for req->user when authentication passes and the user is granted access. This is what you want. Although it is overriding the type of return values even further, technically there is no reason couldn't allow the following. None - AUTH_USER_NOT_FOUND True - AUTH_GRANTED string - AUTH_GRANTED and req->user set to str. False - AUTH_DENIED May not be pretty, but gets the job done. Comments? Graham -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
