Thilo-Alexander Ginkel wrote:
> On Fri, Jul 31, 2009 at 13:27,
> rupert.thurner<rupert.thur...@gmail.com> wrote:
>> just as a side note, edgewall trac supports it by just taking the
>> webservers authentication, see:
>> * http://trac.edgewall.org/browser/trunk/trac/web/auth.py.
>> * http://trac-hacks.org/wiki/SslAuthenticationPlugin
> Thanks for the pointer. I agree, using the Apache mod_ssl client
> authentication feature to do the dirty work definitely makes sense
> (and this is already working for me). I am however still somewhat lost
> with regards to the authentication backend implementation. While I
> could theoretically implement a backend, which just evaluates the
> environment variables set by mod_ssl (and ignores the password
> supplied to the 'authenticate' method), this would probably still
> require the user to click on the "Login" hyperlink in the RB web UI.
> What I would prefer is some implementation, which is mostly
> transparent and automagically signs in the user when he performs the
> first page hit.
> Do you think that's technically feasible with the current
> authentication architecture (or would it require a major rewrite)?
I have an implementation of x.509 authentication working that bypasses
the "Login" screen. I had to add a middleware class to the django site
settings (I copied the MIDDLEWARE_CLASSES from settings.py to my
settings_local.py and added my own middleware class). My middleware
class has a process_request() function that uses the mod_ssl-set
environment variables to figure out the user name, and then directly
calls the login() function in my backend. I also haven't figured out how
to get multiple authentication backends working nicely with Django; it
seemed that when I didn't explicitly call the backend login()
implementation I wanted, I randomly got the login screen anyway without
being able to log in using my password.
There is a remaining problem that I have yet to resolve, and that is
authenticating with my certificate from the post-review tool. I'd like
to use a password-protected, but Python doesn't make that easy at all; I
end up having to enter my password each time python makes a web request.
Having post-review is definitely nice, but the web UI doesn't seem as
opaque any more :).
You received this message because you are subscribed to the Google Groups
To post to this group, send email to email@example.com
To unsubscribe from this group, send email to
For more options, visit this group at