[jira] Commented: (MODPYTHON-47) Digest Authorization header causes bad request error.

Tue, 22 Nov 2005 16:32:05 -0800 

    [ 
http://issues.apache.org/jira/browse/MODPYTHON-47?page=comments#action_12358319 
] 

Graham Dumpleton commented on MODPYTHON-47:
-------------------------------------------

As usual there is nearly always a way to fudge things. You could still use 
Apache HTTP digest authentication (managed by Apache) and still use 
mod_python.publisher by having an authenhandler() or earlier content handler 
which deleted the "Authorization" header so that mod_python.publisher didn't 
find it and therefore didn't barf.

  def authenhandler(req):

    if req.headers_in.has_key("Authorization"):
       del req.headers_in["Authorization"]

    ... etc.

I haven't tried this, but it should work.


> Digest Authorization header causes bad request error.
> -----------------------------------------------------
>
>          Key: MODPYTHON-47
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-47
>      Project: mod_python
>         Type: Bug
>   Components: publisher
>     Versions: 3.1.4
>     Reporter: Graham Dumpleton
>     Priority: Minor

>
> If Apache is used to perform authentication, the Authorization header still 
> gets
> passed through to mod_python.publisher. Unfortunately, mod_python.publisher
> authentication code in process_auth() will attempt to decode the contents of 
> the
> Authorization header even if there are no __auth__ or __access__ hooks defined
> for authentication and access control within the published code itself.
> The consequence of this is that if Digest authentication is used for AuthType
> at level of Apache authentication, the process_auth() code will raise a bad 
> request
> error as it assumes Authorization header is always in format for Basic 
> authentication
> type and when it can't decode it, it raises an error.
> What should happen is that any decoding of Authorization should only be done
> if there is a __auth__ or __access__ hook that actually requires it. That 
> way, if some
> one uses Digest authentication at Apache configuration file level, provided 
> that no
> __auth__ or __access__ hooks are provided, there wouldn't be a problem.
> See:
>   http://www.modpython.org/pipermail/mod_python/2005-April/017911.html
>   http://www.modpython.org/pipermail/mod_python/2005-April/017912.html
> for additional information.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to