[ http://issues.apache.org/jira/browse/MODPYTHON-124?page=all ]
Graham Dumpleton updated MODPYTHON-124:
---------------------------------------
Fix Version: 3.3
Assign To: Graham Dumpleton
> Improvements associated with the req.ap_auth_type attribute.
> ------------------------------------------------------------
>
> Key: MODPYTHON-124
> URL: http://issues.apache.org/jira/browse/MODPYTHON-124
> Project: mod_python
> Type: Improvement
> Components: core
> Versions: 3.3
> Reporter: Graham Dumpleton
> Assignee: Graham Dumpleton
> Fix For: 3.3
>
> The "req.ap_auth_type" attribute is set to the authentication type
> corresponding to the type of authentication processing successfully carried
> out in respect of a request. For example, if one has Apache configuration:
> AuthType Basic
> AuthName "Restricted Files"
> AuthUserFile /usr/local/apache/passwd/passwords
> Require valid-user
> it is expected that the request uses basic authentication header as
> appropriate. These headers will be dealt with by inbuilt Apache core module.
> Upon successful authentication, the Apache core module will set
> "req.ap_auth_type" attribute to be "Basic" and set "req.user" to the user ID
> of the logged in user.
> If instead Apache support for digest authentication was used, eg:
> AuthType Digest
> ...
> then "req.ap_auth_type" attribute will be set to "Digest".
> If authentication was not requested, ie., no AuthType directive, the
> "req.ap_auth_type" is set to Python None.
> The intent is that you should be able to implement authentication handlers in
> mod_python using PythonAuthenHandler, but you can't actually do this
> correctly at the moment as there are a few things missing.
> Firstly, in order to trigger the PythonAuthenHandler, you must still define
> the AuthType/AuthName/Require directives. In order to ensure that our
> authentication handler is triggered and not the builtin ones or some other
> one, the AuthType directive should specify a string other than "Basic" or
> "Digest". This would be a name we choose and can basically be anything. For
> example, you might choose a descriptive name like "Python-Basic-DBM" to
> denote basic authentication is used against a DBM database but using the
> Python authentication handler.
> AuthType Python-Basic-DBM
> AuthName "Web Application"
> Require valid-user
> PythonAuthenHandler basicdbmauth
> PythonOption basicdbmauth.UserDatabase /.../users.dbm
> When the authentication handler in "basicdbmauth" is called, the
> "req.ap_auth_type" field is still None. This is because authentication hasn't
> succeed yet.
> In terms of being able to implement the authentication handler correctly, the
> first problem is that there is no way to access the actual value associated
> with the AuthType directive. This needs to be consulted to determine if the
> authentication handler should actually do anything. Second is that the value
> associated with the AuthName directive can't be determined either, something
> which may influence against which database authentication should be done.
> Thus first lot of changes that need to be made are that "req" object needs to
> have two new methods called "get_auth_type()" and "get_auth_name()". These
> will map to the Apache API functions called "ap_auth_type()" and
> "ap_auth_name()". Note that "ap_auth_type()" is returning a different value
> to "req.ap_auth_type".
> With those two functions, authentication handler can then be written as:
> def authenhandler(req):
> if req.get_auth_type() != "Python-Basic-DBM":
> return apache.DECLINED
> realm = req.get_auth_name()
> # Do all the processing of Authorization header and
> # validate user etc. If not okay, return appropriate error
> # status. If okay, keep going.
> req.user = ... from header
> req.ap_auth_type = "Python-Basic-DBM"
> return apache.OK
> As well as returning apache.OK, convention is to set "req.user" and
> "req.ap_auth_type".
> This is where the final problem occurs. That is that "req.ap_auth_type" is
> read only and cannot actually be set as necessary.
> Thus in addition to "req.get_auth_type()", "req.get_auth_name()", need to
> make "req.ap_auth_type" writable.
> Having made these changes it would then actually be possible to write
> authentication handlers correctly, ie., whereby they correctly look at
> AuthType etc to see whether they should be applied.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
