I don't remember exactly how digest auth works, but it worries me you generating a hash as return value which doesn't have a password as input. I suspect that Apache or something is going to compare that hash with one generated from what the browser submitted and they need to match. Can't see how they would match with what you are doing.
Graham > On 15 Jun 2021, at 11:38 am, Neil Verkland <[email protected]> wrote: > > > I'm attempting to use mod_wsgi for Authen (Digest) only. Once Authen is > complete, all other scripts in the Apache directories will be served as CGI's > or static files (or mod_proxy will pass the request on). > > At present (with the configs below) the WSGI (Digest) authentication script > is being executed and is returning a hex-digest of an md5 sum of > 'user:pass:realm' (we can see this in the logs and code is provided below); > however, apache is presenting the user with the login form each and every > time authentication is successfully completed. > > Some things to note: The password (in this case) isn't a password at all. It > is an encrypted cookie that is found in the HTTP_COOKIE variable. The process > of validating that cookie is to send it over TCP to a propratary > java-validation process. > > Can anyone see (in the configs and code below) where I have missed telling > Apache that the Authentication was successful? > > CONFIG httpd.conf: > <LocationMatch "^/private/"> > Options Indexes FollowSymLinks ExecCGI > AuthType Digest > #REALM PrivateArea > AuthName PrivateArea > AuthDigestProvider wsgi > WSGIAuthUserScript /sites/www-python/lib/auth/plugin.py > Require valid-user > RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS] > RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e" > </LocationMatch> > > CODE plugin.py: > def get_realm_hash(environ, user, realm): > C = http.cookies.SimpleCookie() > C.load(environ.get('HTTP_COOKIE','')) > cval = '' > if not 'rocacheauth' in C: > writelog("cookie not present") > return None > if 'rocacheauth' in C: > cval = C['rocacheauth'].value > port = 2500 > writelog(f"cookie value: {cval}") > userdata = findSession(cval) # look on disk for saved session > if userdata: return(digest(userdata,realm)) > writelog(f"session not found") > userdata = verifyCookie(cval,port=port) > if userdata: > writeSession(cval,userdata) #save to disk > return(digest(userdata,realm)) > writelog(f"session not validated") > return None > > def digest(userdata,realm): > hasher = hashlib.md5() > uname = userdata[5] > ustr = f'{uname}:barkbark:{realm}' > writelog(f"validated user:{uname}") > hasher.update(ustr.encode('UTF-8')) > dgest = hasher.hexdigest() > writelog(f"digest :{dgest}") > return(dgest) > > LOG1 OUTPUT: > # (user does not have a saved session on disk) > # login form is presented > 2021-06-14 17:28:19,326 - authn_plugin - INFO - validated user:nv596r > 2021-06-14 17:28:19,327 - authn_plugin - INFO - digest > :7159b4ae7e3c2bd736dcf7c9c03d8e64 > # login form is presented AGAIN > > LOG2 OUTPUT: > # (user does have a saved session on disk): > # login form is presented > 2021-06-14 17:47:54,318 - authn_plugin - INFO - Session Located nv596r > 2021-06-14 17:47:54,318 - authn_plugin - INFO - validated user:nv596r > 2021-06-14 17:47:54,319 - authn_plugin - INFO - digest > :9633784b6851713b93506f3201fd53b9 > # login form is presented AGAIN > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/modwsgi/ba89bbc5-99cb-4ca2-80d4-eb13d37f8fffn%40googlegroups.com > > <https://groups.google.com/d/msgid/modwsgi/ba89bbc5-99cb-4ca2-80d4-eb13d37f8fffn%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/4AB4D13B-E14B-4028-AB97-40645BABF624%40gmail.com.
