Thilo-Alexander Ginkel wrote:
> On Fri, Jul 31, 2009 at 13:27, 
> rupert.thurner<> wrote:
>> just as a side note, edgewall trac supports it by just taking the
>> webservers authentication, see:
>>  *
>>  * 
>>  *
> Thanks for the pointer. I agree, using the Apache mod_ssl client
> authentication feature to do the dirty work definitely makes sense
> (and this is already working for me). I am however still somewhat lost
> with regards to the authentication backend implementation. While I
> could theoretically implement a backend, which just evaluates the
> environment variables set by mod_ssl (and ignores the password
> supplied to the 'authenticate' method), this would probably still
> require the user to click on the "Login" hyperlink in the RB web UI.
> What I would prefer is some implementation, which is mostly
> transparent and automagically signs in the user when he performs the
> first page hit.
> Do you think that's technically feasible with the current
> authentication architecture (or would it require a major rewrite)?
I have an implementation of x.509 authentication working that bypasses 
the "Login" screen. I had to add a middleware class to the django site 
settings (I copied the MIDDLEWARE_CLASSES from to my and added my own middleware class). My middleware 
class has a process_request() function that uses the mod_ssl-set 
environment variables to figure out the user name, and then directly 
calls the login() function in my backend. I also haven't figured out how 
to get multiple authentication backends working nicely with Django; it 
seemed that when I didn't explicitly call the backend login() 
implementation I wanted, I randomly got the login screen anyway without 
being able to log in using my password.

There is a remaining problem that I have yet to resolve, and that is 
authenticating with my certificate from the post-review tool. I'd like 
to use a password-protected, but Python doesn't make that easy at all; I 
end up having to enter my password each time python makes a web request. 
Having post-review is definitely nice, but the web UI doesn't seem as 
opaque any more :).


You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

Reply via email to