Today I tried sending ‘barkbark’ as the password from the client. There was no behavior change. The login form is still continuously presented to the user.
Sent from my iPhone > On Jun 14, 2021, at 9:00 PM, Neil Verkland <[email protected]> wrote: > > Today’s tests the client did not send ‘bark bark’. That will be the > definitive test (tomorrow) that I spoke of. > > Sent from my iPhone > >>> On Jun 14, 2021, at 8:48 PM, Graham Dumpleton <[email protected]> >>> wrote: >>> >> If mod_perl has a working solution it is possibly because they are rolling >> their own authentication handler from scratch, where as mod_wsgi hooks into >> the authentication provider hooks of Apache, which has more rigid rules >> around how the interfacing works. >> >> Anyway, I was wrong that you weren't providing a password, but you are >> providing a fixed passed: >> >> ustr = f'{uname}:barkbark:{realm}' >> >> Is the client definitely sending a password of "barkbark"? >> >> If it is, then it possibly should work. >> >> Graham >> >>> On 15 Jun 2021, at 12:21 pm, Neil Verkland <[email protected]> wrote: >>> >>> It’s an interesting possibility. I’ll mess with the code (with that in >>> mind) and see if I make any progress. If I do find that the has has to >>> match on that Apache is putting together then I’ll have to switch to >>> mod-Perl where I already have a working solution. >>> >>> I was hoping to move to mod-wsgi so all layers would be Python based (all >>> the cgi’s are Python based). >>> >>> Sent from my iPhone >>> >>>>> On Jun 14, 2021, at 6:52 PM, Graham Dumpleton >>>>> <[email protected]> wrote: >>>>> >>>> I don't remember exactly how digest auth works, but it worries me you >>>> generating a hash as return value which doesn't have a password as input. >>>> I suspect that Apache or something is going to compare that hash with one >>>> generated from what the browser submitted and they need to match. Can't >>>> see how they would match with what you are doing. >>>> >>>> Graham >>>> >>>>> On 15 Jun 2021, at 11:38 am, Neil Verkland <[email protected]> wrote: >>>>> >>>>> >>>>> I'm attempting to use mod_wsgi for Authen (Digest) only. Once Authen is >>>>> complete, all other scripts in the Apache directories will be served as >>>>> CGI's or static files (or mod_proxy will pass the request on). >>>>> >>>>> At present (with the configs below) the WSGI (Digest) authentication >>>>> script is being executed and is returning a hex-digest of an md5 sum of >>>>> 'user:pass:realm' (we can see this in the logs and code is provided >>>>> below); however, apache is presenting the user with the login form each >>>>> and every time authentication is successfully completed. >>>>> >>>>> Some things to note: The password (in this case) isn't a password at all. >>>>> It is an encrypted cookie that is found in the HTTP_COOKIE variable. The >>>>> process of validating that cookie is to send it over TCP to a propratary >>>>> java-validation process. >>>>> >>>>> Can anyone see (in the configs and code below) where I have missed >>>>> telling Apache that the Authentication was successful? >>>>> >>>>> CONFIG httpd.conf: >>>>> <LocationMatch "^/private/"> >>>>> Options Indexes FollowSymLinks ExecCGI >>>>> AuthType Digest >>>>> #REALM PrivateArea >>>>> AuthName PrivateArea >>>>> AuthDigestProvider wsgi >>>>> WSGIAuthUserScript /sites/www-python/lib/auth/plugin.py >>>>> Require valid-user >>>>> RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS] >>>>> RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e" >>>>> </LocationMatch> >>>>> >>>>> CODE plugin.py: >>>>> def get_realm_hash(environ, user, realm): >>>>> C = http.cookies.SimpleCookie() >>>>> C.load(environ.get('HTTP_COOKIE','')) >>>>> cval = '' >>>>> if not 'rocacheauth' in C: >>>>> writelog("cookie not present") >>>>> return None >>>>> if 'rocacheauth' in C: >>>>> cval = C['rocacheauth'].value >>>>> port = 2500 >>>>> writelog(f"cookie value: {cval}") >>>>> userdata = findSession(cval) # look on disk for saved session >>>>> if userdata: return(digest(userdata,realm)) >>>>> writelog(f"session not found") >>>>> userdata = verifyCookie(cval,port=port) >>>>> if userdata: >>>>> writeSession(cval,userdata) #save to disk >>>>> return(digest(userdata,realm)) >>>>> writelog(f"session not validated") >>>>> return None >>>>> >>>>> def digest(userdata,realm): >>>>> hasher = hashlib.md5() >>>>> uname = userdata[5] >>>>> ustr = f'{uname}:barkbark:{realm}' >>>>> writelog(f"validated user:{uname}") >>>>> hasher.update(ustr.encode('UTF-8')) >>>>> dgest = hasher.hexdigest() >>>>> writelog(f"digest :{dgest}") >>>>> return(dgest) >>>>> >>>>> LOG1 OUTPUT: >>>>> # (user does not have a saved session on disk) >>>>> # login form is presented >>>>> 2021-06-14 17:28:19,326 - authn_plugin - INFO - validated user:nv596r >>>>> 2021-06-14 17:28:19,327 - authn_plugin - INFO - digest >>>>> :7159b4ae7e3c2bd736dcf7c9c03d8e64 >>>>> # login form is presented AGAIN >>>>> >>>>> LOG2 OUTPUT: >>>>> # (user does have a saved session on disk): >>>>> # login form is presented >>>>> 2021-06-14 17:47:54,318 - authn_plugin - INFO - Session Located nv596r >>>>> 2021-06-14 17:47:54,318 - authn_plugin - INFO - validated user:nv596r >>>>> 2021-06-14 17:47:54,319 - authn_plugin - INFO - digest >>>>> :9633784b6851713b93506f3201fd53b9 >>>>> # login form is presented AGAIN >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "modwsgi" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/modwsgi/ba89bbc5-99cb-4ca2-80d4-eb13d37f8fffn%40googlegroups.com. >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to a topic in the >>>> Google Groups "modwsgi" group. >>>> To unsubscribe from this topic, visit >>>> https://groups.google.com/d/topic/modwsgi/36iEHNSG-XM/unsubscribe. >>>> To unsubscribe from this group and all its topics, send an email to >>>> [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/modwsgi/4AB4D13B-E14B-4028-AB97-40645BABF624%40gmail.com. >>> >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "modwsgi" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/modwsgi/CAF91A5A-2531-42AF-A993-200D279EBAA4%40gmail.com. >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "modwsgi" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/modwsgi/36iEHNSG-XM/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/modwsgi/EC84EECC-9A7C-46E7-8C21-FB8E5509CCDF%40gmail.com. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/BBE5195E-85C7-4069-89B2-023B3DCBC127%40gmail.com.
