Hey Christian, To add more debugging context: * If I use basic auth against the api with an existing service account, I can than use the sent cookie against the api again. * If I auth against the kerberos-protected portion, I am then not able to use the cookie against the api.
Do you have any thoughts on how I can fix this in the RemoteUserAuthBackend? Thanks, On Wed, Jul 22, 2015 at 2:55 PM, Christian Hammond <christ...@beanbaginc.com > wrote: > Hi Zach, > > I'm not really sure what's going on there. This backend isn't widely-used, > so it doesn't get a lot of testing. > > Sometimes this stuff depends on your server configuration a bit. Can you > share any modifications to the generated Apache config you may have (or any > configuration you have if it's not Apache). > > Thanks, > > Christian > > -- > Christian Hammond - christ...@beanbaginc.com > Review Board - https://www.reviewboard.org > Beanbag, Inc. - https://www.beanbaginc.com > > -----Original Message----- > From: Zach <zach...@gmail.com> > Reply: reviewboard@googlegroups.com <reviewboard@googlegroups.com>> > Date: July 22, 2015 at 8:51:55 AM > To: reviewboard <reviewboard@googlegroups.com>> > Subject: Re: Support for HTTP Auth? > > > Sorry to revive this from the dead, but I'm also trying to use the > > `RemoteUserAuthBackend`, but against reviewboard 2.0.X. > > > > I have it working from a "I can hit this site and get an account that's > > populated" perspective. We ignore the auth config when hitting any /api/ > > routes since some scripts would have to jump through hoops to do things > > other than basic auth for that endpoint. The issue I'm fighting with is > > that when the UI makes AJAX requests to the api, even though it sends the > > session cookie and id, returned from the set-cookie header, I get > prompted > > for a username and password (due to the WWW-Authenticate header). > > > > Do you have any thoughts on this? > > > > On Tuesday, June 8, 2010 at 2:29:29 PM UTC-4, Christian Hammond wrote: > > > > > > Hi, > > > > > > Someone worked on patches long ago for this but they were never > completed. > > > They're a bit outdated now given changes in Review Board. > > > > > > I don't know how your code works, but I believe Django has support for > > > HTTP Auth now (django.contrib.auth.backends.RemoteUserAuthBackend). It > > > actually doesn't completely do what we need. It'll automatically create > > > User objects for any new attempt at login, which is probably bad. What > I'd > > > do is subclass this in our own backends.py file and set > create_unknown_user > > > to False. I'd also create a new variable we can use to hide the Log In > link > > > (maybe "hide_login_page" or something) and check that in the base.html > > > template. > > > > > > This backend must be used in conjunction with > > > django.contrib.auth.middleware.RemoteUserMiddleware. However, the > > > middleware assumes that we're absolutely using RemoteUserAuthBackend, > which > > > we won't always be, so you'd also have to subclass that, override > > > process_request, and only call the parent method if the HTTP auth > backend > > > is used. That middleware would need to be placed in the middleware > list in > > > reviewboard/settings.py. > > > > > > You'd then need to update Review Board to know about it > > > (reviewboard/admin/siteconfig.py and forms.py, I believe). > > > > > > Hope that helps. > > > > > > Christian > > > > > > -- > > > Christian Hammond - chi...@chipx86.com > > > Review Board - http://www.reviewboard.org > > > VMware, Inc. - http://www.vmware.com > > > > > > > > > On Tue, Jun 8, 2010 at 10:27 AM, tuckermi > > > > wrote: > > > > > >> I am trying to configure ReviewBoard (I'm using 1.5b2) to trust the > > >> REMOTE_USER environment variable that is set by apache when I use > > >> basic HTTP authentication. Has anyone had luck doing something like > > >> this who can steer me in the right direction? I have tried writing my > > >> own backend, which seems like it is probably not the best approach, > > >> but am running into some issues. Specifically, I am still prompted to > > >> login with the ReviewBoard login page after I authenticate through the > > >> HTTP Auth popup. > > >> > > >> I would definitely prefer to use existing tools if they exist -- I > > >> looked through the documentation and didn't see any mention of HTTP > > >> basic auth as an authentication backend. Is there something in Django > > >> that I should look at? Any suggestions would be appreciated. > > >> > > >> Thanks, > > >> Mike > > >> > > >> -- > > >> Want to help the Review Board project? Donate today at > > >> http://www.reviewboard.org/donate/ > > >> Happy user? Let us know at http://www.reviewboard.org/users/ > > >> -~----------~----~----~----~------~----~------~--~--- > > >> To unsubscribe from this group, send email to > > >> reviewboard...@googlegroups.com > > >> For more options, visit this group at > > >> http://groups.google.com/group/reviewboard?hl=en > > > > > > > > > > > > > -- > > Supercharge your Review Board with Power Pack: > https://www.reviewboard.org/powerpack/ > > Want us to host Review Board for you? Check out RBCommons: > https://rbcommons.com/ > > Happy user? Let us know! https://www.reviewboard.org/users/ > > --- > > You received this message because you are subscribed to the Google > Groups "reviewboard" > > group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to reviewboard+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > > > -- Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/ Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/ Happy user? Let us know! https://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups "reviewboard" group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.