Graham Dumpleton commented on MODPYTHON-47:

The simplest way of fixing this problem may be that after changes related to 
MODPYTHON-124 are made that the publisher simply not try and authenticate users 
if req.ap_auth_type is not None.

In other words, if AuthType directive has been defined assume that something 
else is handling authentication and that publisher doesn't have to worry about 
it. This will mean publisher will not redundantly decode authorisation header 
if AuthType was Basic and was being handled explicitly by mod_auth in Apache 
and outside of the publisher.

Thus, insert at start of process_auth():

  if req.ap_auth_type:
    return realm, user, passwd

> Digest Authorization header causes bad request error.
> -----------------------------------------------------
>          Key: MODPYTHON-47
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-47
>      Project: mod_python
>         Type: Bug
>   Components: publisher
>     Versions: 3.1.4
>     Reporter: Graham Dumpleton
>     Priority: Minor

> If Apache is used to perform authentication, the Authorization header still 
> gets
> passed through to mod_python.publisher. Unfortunately, mod_python.publisher
> authentication code in process_auth() will attempt to decode the contents of 
> the
> Authorization header even if there are no __auth__ or __access__ hooks defined
> for authentication and access control within the published code itself.
> The consequence of this is that if Digest authentication is used for AuthType
> at level of Apache authentication, the process_auth() code will raise a bad 
> request
> error as it assumes Authorization header is always in format for Basic 
> authentication
> type and when it can't decode it, it raises an error.
> What should happen is that any decoding of Authorization should only be done
> if there is a __auth__ or __access__ hook that actually requires it. That 
> way, if some
> one uses Digest authentication at Apache configuration file level, provided 
> that no
> __auth__ or __access__ hooks are provided, there wouldn't be a problem.
> See:
>   http://www.modpython.org/pipermail/mod_python/2005-April/017911.html
>   http://www.modpython.org/pipermail/mod_python/2005-April/017912.html
> for additional information.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

Reply via email to