Graham Dumpleton commented on MODPYTHON-124:

FWIW, where example gave:

    # Do all the processing of Authorization header and 
    # validate user etc. If not okay, return appropriate error 
    # status. If okay, keep going. 

    req.user = ... from header 
    req.ap_auth_type = "Python-Basic-DBM" 

If "req.get_basic_auth_pw()" were used to do the decoding of the 
"Authorization" header, the "req.user" and "req.ap_auth_type" fields would have 
been automatically populated with the user ID and auth type of "Basic" 

The "req.ap_auth_type" attribute still needs to be writable though if it was 
desired that totally new or unsupported authorisation schemes needed to be 

> Improvements associated with the req.ap_auth_type attribute.
> ------------------------------------------------------------
>          Key: MODPYTHON-124
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-124
>      Project: mod_python
>         Type: Improvement
>   Components: core
>     Versions: 3.3
>     Reporter: Graham Dumpleton

> The "req.ap_auth_type" attribute is set to the authentication type 
> corresponding to the type of authentication processing successfully carried 
> out in respect of a request. For example,  if one has Apache configuration:
>   AuthType Basic
>   AuthName "Restricted Files"
>   AuthUserFile /usr/local/apache/passwd/passwords
>   Require valid-user
> it is expected that the request uses basic authentication header as 
> appropriate. These headers will be dealt with by inbuilt Apache core module. 
> Upon successful authentication, the Apache core module will set 
> "req.ap_auth_type" attribute to be "Basic" and set "req.user" to the user ID 
> of the logged in user.
> If instead Apache support for digest authentication was used, eg:
>   AuthType Digest
>   ...
> then "req.ap_auth_type" attribute will be set to "Digest".
> If authentication was not requested, ie., no AuthType directive, the 
> "req.ap_auth_type" is set to Python None.
> The intent is that you should be able to implement authentication handlers in 
> mod_python using PythonAuthenHandler, but you can't actually do this 
> correctly at the moment as there are a few things missing.
> Firstly, in order to trigger the PythonAuthenHandler, you must still define 
> the AuthType/AuthName/Require directives. In order to ensure that our 
> authentication handler is triggered and not the builtin ones or some other 
> one, the AuthType directive should specify a string other than "Basic" or 
> "Digest". This would be a name we choose and can basically be anything. For 
> example, you might choose a descriptive name like "Python-Basic-DBM" to 
> denote basic authentication is used against a DBM database but using the 
> Python authentication handler.
>   AuthType Python-Basic-DBM
>   AuthName "Web Application"
>   Require valid-user
>   PythonAuthenHandler basicdbmauth
>   PythonOption basicdbmauth.UserDatabase /.../users.dbm
> When the authentication handler in "basicdbmauth" is called, the 
> "req.ap_auth_type" field is still None. This is because authentication hasn't 
> succeed yet.
> In terms of being able to implement the authentication handler correctly, the 
> first problem is that there is no way to access the actual value associated 
> with the AuthType directive. This needs to be consulted to determine if the 
> authentication handler should actually do anything. Second is that the value 
> associated with the AuthName directive can't be determined either, something 
> which may influence against which database authentication should be done.
> Thus first lot of changes that need to be made are that "req" object needs to 
> have two new methods called "get_auth_type()" and "get_auth_name()". These 
> will map to the Apache API functions called "ap_auth_type()" and 
> "ap_auth_name()". Note that "ap_auth_type()" is returning a different value 
> to "req.ap_auth_type".
> With those two functions, authentication handler can then be written as:
>   def authenhandler(req):
>     if req.get_auth_type() != "Python-Basic-DBM":
>       return apache.DECLINED
>     realm = req.get_auth_name()
>     # Do all the processing of Authorization header and
>     # validate user etc. If not okay, return appropriate error
>     # status. If okay, keep going.
>     req.user = ... from header
>     req.ap_auth_type = "Python-Basic-DBM"
>     return apache.OK
> As well as returning apache.OK, convention is to set "req.user" and 
> "req.ap_auth_type".
> This is where the final problem occurs. That is that "req.ap_auth_type" is 
> read only and cannot actually be set as necessary.
> Thus in addition to "req.get_auth_type()", "req.get_auth_name()", need to 
> make "req.ap_auth_type" writable.
> Having made these changes it would then actually be possible to write 
> authentication handlers correctly, ie., whereby they correctly look at 
> AuthType etc to see whether they should be applied.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

Reply via email to