[ https://issues.apache.org/jira/browse/MODPYTHON-169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12504708 ]
Paul Jongsma commented on MODPYTHON-169: ---------------------------------------- Graham, thank you for the insight. It would be great if mod_python could be used as an AuthProvider as currently I have some websites which use modauthmysql and this module is not available for Apache 2.2 mod_python can easily replace the modauthmysql with only a couple of lines and it would save me from maintaining an old apache 2.0 installation. Thanks Paul > Add feature to allow mod_python to be an auth provider. > ------------------------------------------------------- > > Key: MODPYTHON-169 > URL: https://issues.apache.org/jira/browse/MODPYTHON-169 > Project: mod_python > Issue Type: New Feature > Components: core > Reporter: Graham Dumpleton > Assignee: Graham Dumpleton > Attachments: add-authenticator.patch > > > In Apache 2.2, the implementation of authentication has been split into two > parts. The first is that which handles the specifics of negotiating with a > client for a specific authentication mechanism type, for example, Basic or > Digest authentication. The second part is that which handles the specifics of > verifying the actual users credentials, for example, by looking the user up > in a dbm database, ldap or some other type of user database. > The second part of this is referred to as the auth provider and in Apache 2.2 > it is possible to hook in additional providers. This means that the any > builtin support in Apache for Basic and Digest authentication mechanism can > be used, but the verification could be done by some arbitrary user code. Such > verification could be done in Python, if mod_python allowed one to define the > necessary auth provider hooks. > To this end, proposed that mod_python be extended such that when using Apache > 2.2, that it is possible to say: > AuthType Basic > AuthName "Restricted Files" > AuthBasicProvider mod_python > PythonAuthBasicProvider somemodule > or: > AuthType Digest > AuthName "Restricted Files" > AuthDigestProvider mod_python > PythonAuthDigestProvider somemodule > That is, by specifying mod_python in conjunction with AuthBasicProvider or > AuthDigestProvider directives, it triggers mod_python to be given option of > satisfying need to perform verification of user credentials. The function to > be called for each being given by the PythonAuthBasicProvider and > PythonAuthDigestProvider respectively. > The argument to these directives would be a module name, in which case a > function of the name "authbasicprovider" or "authdigestprovider" will be > expected to exist. If wanting to specify a particular module, like in handler > directives, would also be possible to say: > PythonAuthBasicProvider somemodule::check_password > PythonAuthDigestProvider somemodule::get_realm_hash > Note that the prototype of the function for each would not be like existing > handlers and is different in each case. For the Basic auth mechanism, an > example function would be: > users = { ... } > def authbasicprovider(req, user, password): > # could consult req.auth_name() to get realm > if user not in users: > return apache.AUTH_USER_NOT_FOUND > # assuming passwords are stored in clear text > if users[user] != password: > return apache.AUTH_DENIED > return apache.AUTH_GRANTED > Exceptions would be translated into apache.AUTH_GENERAL_ERROR, or function > could explicitly return it. Could also allow explicit exception of type > apache.SERVER_RETURN like in handlers but where argument is auth values. > For Digest authentication, function would be: > def authdigestprovider(req, user, realm): > # could select database based on 'realm' > if user not in users: > return None > # assuming passwords are stored in clear text > return md5.new("%s:%s:%s" % (user, realm, users[user])).hexdigest() > In this later function, return None indicates apache.AUTH_USER_NOT_FOUND. An > apache.SERVER_RETURN exception could also be used with that value as > argument. Returning of an actual string would imply apache.AUTH_USER_FOUND. > Unexpected exceptions taken as apache.AUTH_GENERAL_ERROR, or could be raised > explicitly using apache.SERVER_RETURN exception. > What all this would mean is that you would never need to write an > authenhandler again using mod_python, as you could rely on any type of > authenhandler builtin to Apache or as as supported by some third party Apache > module. All you would need to do is supply the auth provider or Basic or > Digest authentication as necessary to support verification of the user. > -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.