Sorry to revive this from the dead, but I'm also trying to use the 
`RemoteUserAuthBackend`, but against reviewboard 2.0.X.

I have it working from a "I can hit this site and get an account that's 
populated" perspective. We ignore the auth config when hitting any /api/ 
routes since some scripts would have to jump through hoops to do things 
other than basic auth for that endpoint. The issue I'm fighting with is 
that when the UI makes AJAX requests to the api, even though it sends the 
session cookie and id, returned from the set-cookie header, I get prompted 
for a username and password (due to the WWW-Authenticate header).

Do you have any thoughts on this?

On Tuesday, June 8, 2010 at 2:29:29 PM UTC-4, Christian Hammond wrote:
> Hi,
> Someone worked on patches long ago for this but they were never completed. 
> They're a bit outdated now given changes in Review Board.
> I don't know how your code works, but I believe Django has support for 
> HTTP Auth now (django.contrib.auth.backends.RemoteUserAuthBackend). It 
> actually doesn't completely do what we need. It'll automatically create 
> User objects for any new attempt at login, which is probably bad. What I'd 
> do is subclass this in our own file and set create_unknown_user 
> to False. I'd also create a new variable we can use to hide the Log In link 
> (maybe "hide_login_page" or something) and check that in the base.html 
> template.
> This backend must be used in conjunction with 
> django.contrib.auth.middleware.RemoteUserMiddleware. However, the 
> middleware assumes that we're absolutely using RemoteUserAuthBackend, which 
> we won't always be, so you'd also have to subclass that, override 
> process_request, and only call the parent method if the HTTP auth backend 
> is used. That middleware would need to be placed in the middleware list in 
> reviewboard/
> You'd then need to update Review Board to know about it 
> (reviewboard/admin/ and, I believe).
> Hope that helps.
> Christian
> -- 
> Christian Hammond - <javascript:>
> Review Board -
> VMware, Inc. -
> On Tue, Jun 8, 2010 at 10:27 AM, tuckermi < <javascript:>
> > wrote:
>> I am trying to configure ReviewBoard (I'm using 1.5b2) to trust the
>> REMOTE_USER environment variable that is set by apache when I use
>> basic HTTP authentication. Has anyone had luck doing something like
>> this who can steer me in the right direction? I have tried writing my
>> own backend, which seems like it is probably not the best approach,
>> but am running into some issues. Specifically, I am still prompted to
>> login with the ReviewBoard login page after I authenticate through the
>> HTTP Auth popup.
>> I would definitely prefer to use existing tools if they exist -- I
>> looked through the documentation and didn't see any mention of HTTP
>> basic auth as an authentication backend. Is there something in Django
>> that I should look at? Any suggestions would be appreciated.
>> Thanks,
>> Mike
>> --
>> Want to help the Review Board project? Donate today at 
>> Happy user? Let us know at
>> -~----------~----~----~----~------~----~------~--~---
>> To unsubscribe from this group, send email to 
>> <javascript:>
>> For more options, visit this group at 

Supercharge your Review Board with Power Pack:
Want us to host Review Board for you? Check out RBCommons:
Happy user? Let us know!
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
For more options, visit

Reply via email to