[modwsgi] Re: Bad header with mod_proxy, mod_wsgi and paste. Possible bug
Graham Dumpleton wrote: I wouldn't expect that a check of each header for embedded newline, would cause that significant a slow down. :-) It isn't that simple. In HTTP, quoted strings and comments can contain an embedded newline if it is prefixed with a backslash, but otherwise the backslash escape mechanism cannot be used. Plus, comments can be nested recursively, so you cannot even parse them with regular expressions in theory--though, in practice, you can create a regular expression that can match up to 5 levels of nesting and that will be more than good enough. As an optimization, you could do a simple search for a newline, and if you find one, reparse the header field to take into consideration the escaping rules mentioned above. That would be fast for the vast majority of cases where no header fields contain a newline. I think there is also the problem that you cannot know where to parse things using the quoted-string production and where you can parse things using the TEXT production (which allows unmatched quoted strings), unless you know beforehand the BNF for the specific header field you are trying to parse. - Brian --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---
[modwsgi] wsgi info()
Hello, Is there a way from modwsgi to get something similar to this: http://www.franklindigitalproperties.com/php_info.php especially the part that lists all the related modules. Thanks, Lucas -- Python and OpenOffice documents and templates http://lucasmanual.com/mywiki/OpenOffice Fast and Easy Backup solution with Bacula http://lucasmanual.com/mywiki/Bacula --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---
[modwsgi] Re: Authorization
Use Basic auth maybe with SSL and put the contents of the cookie, after base64 encoded, in the spot designated for the password. As long as the server can be told what should be in the user's cookie it should work. Basic auth really doesn't care where the data comes from as long as it can be authorized properly. But this really has nothing to do with mod_wsgi. -Carl On Fri, Sep 19, 2008 at 12:15 PM, Alex K [EMAIL PROTECTED] wrote: Hi All, I have the following task. Let's say I've authorized some user and gived him a cookie. Now my user wants to retrieve the file from the server. I want to implement the following approach: Apache asks whether this request can be served, I check the request(check cookie and IP) and say yes or no and give Apache back the control over the file sharing (notice, no user/ pass dialogs here, user should be authorized already). Is it possible? -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---
[modwsgi] Re: Authorization
OK, thanks for the info, and one more question: How can I create a link with basic auth request or form a request in the browser, so that this link is available to end user ? Alex On 19 сент, 23:33, Carl Nobile [EMAIL PROTECTED] wrote: Implementing basic auth is fairly easy as compared to digest auth, but be aware that with basic auth your username/password(cookie value) are essentially sent in the clear no encryption is done. Don't mistake base64 encoding for encryption as being secure, it isn't because base64 it's reversible. So it is recommended to use SSL with Basic auth. To use this with mod_wsgi you need to add WSGIPassAuthorization On to your Apache config or the relevant environment will not be passed to your app. Also be sure all the apps running in the same virtual host can be trusted or you may be opening up a security hole. Here is a fairly good explanation as to how to implement Basic auth. http://en.wikipedia.org/wiki/Basic_access_authentication I wrote my auth code in a decorator then just place it before the handler method in this way any handler will pick up the same auth code, useful in a REST environment your millage may be different. -Carl 2008/9/19 Alex K [EMAIL PROTECTED] OK, I'll try, btw what is the common way to solve this task? My first idea was to encapsulate file sharing via the application itself (http://host.com/givemefile.py?file_id=1), but I fear about poor performance in this case. Alex On 19 сент, 22:52, Carl Nobile [EMAIL PROTECTED] wrote: Use Basic auth maybe with SSL and put the contents of the cookie, after base64 encoded, in the spot designated for the password. As long as the server can be told what should be in the user's cookie it should work. Basic auth really doesn't care where the data comes from as long as it can be authorized properly. But this really has nothing to do with mod_wsgi. -Carl On Fri, Sep 19, 2008 at 12:15 PM, Alex K [EMAIL PROTECTED] wrote: Hi All, I have the following task. Let's say I've authorized some user and gived him a cookie. Now my user wants to retrieve the file from the server. I want to implement the following approach: Apache asks whether this request can be served, I check the request(check cookie and IP) and say yes or no and give Apache back the control over the file sharing (notice, no user/ pass dialogs here, user should be authorized already). Is it possible? -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---
[modwsgi] mod_wsgi + AMD64
As i understand it, i will need to build mod_wsgi for Vista 64 on the AMD64 architecture. Unfortunately i have never built a python module :) I've tried before on MySQLdb with no luck, it think my environment is not set up properly. Anyhow, i would like to ask the community if there has been a version built for Vista 64 on AMD 64? If so, could i possibly try it out? or if there is an easier way, let me know :) Thanks --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---
[modwsgi] Re: mod_wsgi + AMD64
2008/9/20 TheIvIaxx [EMAIL PROTECTED]: As i understand it, i will need to build mod_wsgi for Vista 64 on the AMD64 architecture. Unfortunately i have never built a python module :) That is okay, it isn't a Python module so that will not help. It is actually worse than a Python module, it is an Apache module which embeds Python interpreter. I've tried before on MySQLdb with no luck, it think my environment is not set up properly. Anyhow, i would like to ask the community if there has been a version built for Vista 64 on AMD 64? If so, could i possibly try it out? or if there is an easier way, let me know :) Others hopefully will come to your assistance, but see: http://code.google.com/p/modwsgi/issues/detail?id=4 Adal's scripts linked from that are the ones to build 32 bit binary modules for Windows. I don't recollect what the compiler requirements are. I recollect that there was an issue with Apache not shipping a required header file and it was necessary to manually copy that somewhere. Whether recent versions of Apache for Windows have address that I don't know. Graham --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---
[modwsgi] Re: wsgi info()
2008/9/20 Carl Nobile [EMAIL PROTECTED]: mod_wsgi is not a framework, so don't expect it to generate web pages for you it is a way of using WSGI (Web Service Gateway Interface) with apache only, and is very light weight compared to other alternatives. You could get what you want from something like Django which would then sit on top of mod_wsgi. You're still going to be writing some code however. Even so, I have thought about having in mod_wsgi a mini WSGI application which could be referenced from embedded mod_wsgi module that exists which would dump out some information. This would be useful as a means of just verifying in what context your application is running, eg. prefork/worker, embedded/daemon, multithreaded, os.environ, wsgi environ etc etc. If this existed, you would still need to have a WSGI script file that invokes it. The problem though is that core mod_wsgi is C code only and want to keep it that way. Ie., don't want for it to be required to install separate Python modules as well. A lot of the problems people had with mod_python was because it was installing both an Apache module and Python modules into different places. I don't though cherish writing a WSGI application in C code. What will more likely happen is that have always see having a parallel package called mod_wsgi_py which is a bunch of Python utility modules which would be useful with mod_wsgi, but not a mandatory requirement. For example, WSGI application that can dump out system information, WSGI middleware for debugging etc etc. The current C code in mod_wsgi already caters for this existing in that when mod_wsgi is started it will try and import Python 'mod_wsgi' module and if exists, then overlay Apache module specific information on top of that module, else it will create in memory Python module instance for 'mod_wsgi' and stick the Apache module specific information in that. I just need to ship the 'mod_wsgi_py' package this was designed for. :-) Graham -Carl On Fri, Sep 19, 2008 at 10:35 AM, Lukasz Szybalski [EMAIL PROTECTED] wrote: Hello, Is there a way from modwsgi to get something similar to this: http://www.franklindigitalproperties.com/php_info.php especially the part that lists all the related modules. Thanks, Lucas -- Python and OpenOffice documents and templates http://lucasmanual.com/mywiki/OpenOffice Fast and Easy Backup solution with Bacula http://lucasmanual.com/mywiki/Bacula -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---
[modwsgi] Re: Authorization
2008/9/20 Alex K [EMAIL PROTECTED]: OK, I'll try, btw what is the common way to solve this task? My first idea was to encapsulate file sharing via the application itself (http://host.com/givemefile.py?file_id=1), but I fear about poor performance in this case. If you use wsgi.file_wrapper extensions: http://www.python.org/dev/peps/pep-0333/#optional-platform-specific-file-handling for returning file content it isn't too bad with mod_wsgi as it uses sendfile() or memory mapping techniques as C code level to make it a lot more efficient. Personally I would be more concerned about you burying the handler underneath the URL dispatching mechanism of some Python framework as they can affect performance more than you think sometimes. Graham Alex On 19 сент, 22:52, Carl Nobile [EMAIL PROTECTED] wrote: Use Basic auth maybe with SSL and put the contents of the cookie, after base64 encoded, in the spot designated for the password. As long as the server can be told what should be in the user's cookie it should work. Basic auth really doesn't care where the data comes from as long as it can be authorized properly. But this really has nothing to do with mod_wsgi. -Carl On Fri, Sep 19, 2008 at 12:15 PM, Alex K [EMAIL PROTECTED] wrote: Hi All, I have the following task. Let's say I've authorized some user and gived him a cookie. Now my user wants to retrieve the file from the server. I want to implement the following approach: Apache asks whether this request can be served, I check the request(check cookie and IP) and say yes or no and give Apache back the control over the file sharing (notice, no user/ pass dialogs here, user should be authorized already). Is it possible? -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---
[modwsgi] Re: Authorization
2008/9/20 Carl Nobile [EMAIL PROTECTED]: Implementing basic auth is fairly easy as compared to digest auth, but be aware that with basic auth your username/password(cookie value) are essentially sent in the clear no encryption is done. Don't mistake base64 encoding for encryption as being secure, it isn't because base64 it's reversible. So it is recommended to use SSL with Basic auth. To use this with mod_wsgi you need to add WSGIPassAuthorization On to your Apache config or the relevant environment will not be passed to your app. Also be sure all the apps running in the same virtual host can be trusted or you may be opening up a security hole. Here is a fairly good explanation as to how to implement Basic auth. http://en.wikipedia.org/wiki/Basic_access_authentication I wrote my auth code in a decorator then just place it before the handler method in this way any handler will pick up the same auth code, useful in a REST environment your millage may be different. In mod_wsgi, especially if you need the authentication mechanism to also cover static files served up by Apache which are outside of control of WSGI application, you should use Apache level authentication rather than implementing it yourself in your WSGI application. To achieve this, see: http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms Benefit of doing it this way is that if using Apache 2.2, it is also easy to handle Digest authentication and know it will be implemented correctly as Apache will handle it all for you. Graham -Carl 2008/9/19 Alex K [EMAIL PROTECTED] OK, I'll try, btw what is the common way to solve this task? My first idea was to encapsulate file sharing via the application itself (http://host.com/givemefile.py?file_id=1), but I fear about poor performance in this case. Alex On 19 сент, 22:52, Carl Nobile [EMAIL PROTECTED] wrote: Use Basic auth maybe with SSL and put the contents of the cookie, after base64 encoded, in the spot designated for the password. As long as the server can be told what should be in the user's cookie it should work. Basic auth really doesn't care where the data comes from as long as it can be authorized properly. But this really has nothing to do with mod_wsgi. -Carl On Fri, Sep 19, 2008 at 12:15 PM, Alex K [EMAIL PROTECTED] wrote: Hi All, I have the following task. Let's say I've authorized some user and gived him a cookie. Now my user wants to retrieve the file from the server. I want to implement the following approach: Apache asks whether this request can be served, I check the request(check cookie and IP) and say yes or no and give Apache back the control over the file sharing (notice, no user/ pass dialogs here, user should be authorized already). Is it possible? -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---
[modwsgi] Re: wsgi info()
Graham, I like your approach to this it will keep things very decoupled and would still allow a developer to generate stats on what is going on inside mod_wsgi. It would be cool to start seeing its use in something like Djangos admin. The assumption here is that you would provide a Python API into the guts of mod_wsgi? -Carl On Fri, Sep 19, 2008 at 9:48 PM, Graham Dumpleton [EMAIL PROTECTED] wrote: 2008/9/20 Carl Nobile [EMAIL PROTECTED]: mod_wsgi is not a framework, so don't expect it to generate web pages for you it is a way of using WSGI (Web Service Gateway Interface) with apache only, and is very light weight compared to other alternatives. You could get what you want from something like Django which would then sit on top of mod_wsgi. You're still going to be writing some code however. Even so, I have thought about having in mod_wsgi a mini WSGI application which could be referenced from embedded mod_wsgi module that exists which would dump out some information. This would be useful as a means of just verifying in what context your application is running, eg. prefork/worker, embedded/daemon, multithreaded, os.environ, wsgi environ etc etc. If this existed, you would still need to have a WSGI script file that invokes it. The problem though is that core mod_wsgi is C code only and want to keep it that way. Ie., don't want for it to be required to install separate Python modules as well. A lot of the problems people had with mod_python was because it was installing both an Apache module and Python modules into different places. I don't though cherish writing a WSGI application in C code. What will more likely happen is that have always see having a parallel package called mod_wsgi_py which is a bunch of Python utility modules which would be useful with mod_wsgi, but not a mandatory requirement. For example, WSGI application that can dump out system information, WSGI middleware for debugging etc etc. The current C code in mod_wsgi already caters for this existing in that when mod_wsgi is started it will try and import Python 'mod_wsgi' module and if exists, then overlay Apache module specific information on top of that module, else it will create in memory Python module instance for 'mod_wsgi' and stick the Apache module specific information in that. I just need to ship the 'mod_wsgi_py' package this was designed for. :-) Graham -Carl On Fri, Sep 19, 2008 at 10:35 AM, Lukasz Szybalski [EMAIL PROTECTED] wrote: Hello, Is there a way from modwsgi to get something similar to this: http://www.franklindigitalproperties.com/php_info.php especially the part that lists all the related modules. Thanks, Lucas -- Python and OpenOffice documents and templates http://lucasmanual.com/mywiki/OpenOffice Fast and Easy Backup solution with Bacula http://lucasmanual.com/mywiki/Bacula -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---
[modwsgi] Re: Authorization
2008/9/20 Carl Nobile [EMAIL PROTECTED]: Alex, Basic auth is sent with each end every request that needs authentication. You just add the proper headers in your request and it should all work. Now, something else to think about is that your browser will intercept the first auth request and pop up a window asking for username and password(cookie data), but you will have to write some JavaScript to do this for the user, since the user won't know what the cookie value is to be used for the password. If you do this for every request that needs authentication the process will all look seamless to the user. In other words you will have to intercept the browsers intercept. I've never done this myself, because most of what I do is for the programmable web (web services) that never sees a browser, but it shouldn't be all that difficult to do. See: http://www.peej.co.uk/articles/http-auth-with-html-forms.html I'm not sure about this whole idea of sticking some sort of cookie value in place of information in Basic authentication. There is an Apache module around somewhere that provides for handling session based login across applications in different languages with user authentication being in language of choice. I remember Paste or Authkit or something having some support for it. I cant remember the name of the module right now or find it, but if do will send on details. Graham Apache when receiving the proper headers will do the auth for every request then just respond with the expected response if the auth passes otherwise it will send a 401 Unauthorized. -Carl 2008/9/19 Alex K [EMAIL PROTECTED] OK, thanks for the info, and one more question: How can I create a link with basic auth request or form a request in the browser, so that this link is available to end user ? Alex On 19 сент, 23:33, Carl Nobile [EMAIL PROTECTED] wrote: Implementing basic auth is fairly easy as compared to digest auth, but be aware that with basic auth your username/password(cookie value) are essentially sent in the clear no encryption is done. Don't mistake base64 encoding for encryption as being secure, it isn't because base64 it's reversible. So it is recommended to use SSL with Basic auth. To use this with mod_wsgi you need to add WSGIPassAuthorization On to your Apache config or the relevant environment will not be passed to your app. Also be sure all the apps running in the same virtual host can be trusted or you may be opening up a security hole. Here is a fairly good explanation as to how to implement Basic auth. http://en.wikipedia.org/wiki/Basic_access_authentication I wrote my auth code in a decorator then just place it before the handler method in this way any handler will pick up the same auth code, useful in a REST environment your millage may be different. -Carl 2008/9/19 Alex K [EMAIL PROTECTED] OK, I'll try, btw what is the common way to solve this task? My first idea was to encapsulate file sharing via the application itself (http://host.com/givemefile.py?file_id=1), but I fear about poor performance in this case. Alex On 19 сент, 22:52, Carl Nobile [EMAIL PROTECTED] wrote: Use Basic auth maybe with SSL and put the contents of the cookie, after base64 encoded, in the spot designated for the password. As long as the server can be told what should be in the user's cookie it should work. Basic auth really doesn't care where the data comes from as long as it can be authorized properly. But this really has nothing to do with mod_wsgi. -Carl On Fri, Sep 19, 2008 at 12:15 PM, Alex K [EMAIL PROTECTED] wrote: Hi All, I have the following task. Let's say I've authorized some user and gived him a cookie. Now my user wants to retrieve the file from the server. I want to implement the following approach: Apache asks whether this request can be served, I check the request(check cookie and IP) and say yes or no and give Apache back the control over the file sharing (notice, no user/ pass dialogs here, user should be authorized already). Is it possible? -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] ---
[modwsgi] Re: Authorization
2008/9/20 Graham Dumpleton [EMAIL PROTECTED]: 2008/9/20 Carl Nobile [EMAIL PROTECTED]: Alex, Basic auth is sent with each end every request that needs authentication. You just add the proper headers in your request and it should all work. Now, something else to think about is that your browser will intercept the first auth request and pop up a window asking for username and password(cookie data), but you will have to write some JavaScript to do this for the user, since the user won't know what the cookie value is to be used for the password. If you do this for every request that needs authentication the process will all look seamless to the user. In other words you will have to intercept the browsers intercept. I've never done this myself, because most of what I do is for the programmable web (web services) that never sees a browser, but it shouldn't be all that difficult to do. See: http://www.peej.co.uk/articles/http-auth-with-html-forms.html I'm not sure about this whole idea of sticking some sort of cookie value in place of information in Basic authentication. There is an Apache module around somewhere that provides for handling session based login across applications in different languages with user authentication being in language of choice. I remember Paste or Authkit or something having some support for it. I cant remember the name of the module right now or find it, but if do will send on details. This one: http://www.openfusion.com.au/labs/mod_auth_tkt/ Graham --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---
[modwsgi] Re: Authorization
2008/9/20 Carl Nobile [EMAIL PROTECTED]: Herein lies my problem with Apache's authentication. Lets say I have a URI: /users This URI can have some subset of the six HTTP methods applied to it, for example: PUT will add a new user and does not require any authentication. GET will return a list of all users, but is only authorized by an admin user. HEAD will return the same headers as GET but no data also needing an authorized admin user. POST is not allowed at all and causes a 405 response. DELETE is also not allowed and causes a 405 response. OPTION will return a list of possible methods that can be used depending on the authorization level of the user. So here's the problem, how do I tell the check_password() or get_realm_hash() methods which HTTP methods to authenticate and which not to authenticate? The auth.wsgi script is completely decoupled from the rest of the application so it can not be influenced by that application. Or am I missing some obvious point here? See if Limit directive within Location context (as appropriate), can be used. Location /some/url Limit GET Require group admin /Limit Limit POST Deny from all /Limit /Location May not allow exact codes you want. Would try some things myself, but have guests coming for lunch soon. :-) Graham -Carl On Fri, Sep 19, 2008 at 10:32 PM, Graham Dumpleton [EMAIL PROTECTED] wrote: 2008/9/20 Graham Dumpleton [EMAIL PROTECTED]: 2008/9/20 Carl Nobile [EMAIL PROTECTED]: Alex, Basic auth is sent with each end every request that needs authentication. You just add the proper headers in your request and it should all work. Now, something else to think about is that your browser will intercept the first auth request and pop up a window asking for username and password(cookie data), but you will have to write some JavaScript to do this for the user, since the user won't know what the cookie value is to be used for the password. If you do this for every request that needs authentication the process will all look seamless to the user. In other words you will have to intercept the browsers intercept. I've never done this myself, because most of what I do is for the programmable web (web services) that never sees a browser, but it shouldn't be all that difficult to do. See: http://www.peej.co.uk/articles/http-auth-with-html-forms.html I'm not sure about this whole idea of sticking some sort of cookie value in place of information in Basic authentication. There is an Apache module around somewhere that provides for handling session based login across applications in different languages with user authentication being in language of choice. I remember Paste or Authkit or something having some support for it. I cant remember the name of the module right now or find it, but if do will send on details. This one: http://www.openfusion.com.au/labs/mod_auth_tkt/ Graham -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---
[modwsgi] Re: Authorization
Hey no problem, thanks for the tip. It may help. Lunch? I'm going to bed soon. LOL On Fri, Sep 19, 2008 at 11:01 PM, Graham Dumpleton [EMAIL PROTECTED] wrote: 2008/9/20 Carl Nobile [EMAIL PROTECTED]: Herein lies my problem with Apache's authentication. Lets say I have a URI: /users This URI can have some subset of the six HTTP methods applied to it, for example: PUT will add a new user and does not require any authentication. GET will return a list of all users, but is only authorized by an admin user. HEAD will return the same headers as GET but no data also needing an authorized admin user. POST is not allowed at all and causes a 405 response. DELETE is also not allowed and causes a 405 response. OPTION will return a list of possible methods that can be used depending on the authorization level of the user. So here's the problem, how do I tell the check_password() or get_realm_hash() methods which HTTP methods to authenticate and which not to authenticate? The auth.wsgi script is completely decoupled from the rest of the application so it can not be influenced by that application. Or am I missing some obvious point here? See if Limit directive within Location context (as appropriate), can be used. Location /some/url Limit GET Require group admin /Limit Limit POST Deny from all /Limit /Location May not allow exact codes you want. Would try some things myself, but have guests coming for lunch soon. :-) Graham -Carl On Fri, Sep 19, 2008 at 10:32 PM, Graham Dumpleton [EMAIL PROTECTED] wrote: 2008/9/20 Graham Dumpleton [EMAIL PROTECTED]: 2008/9/20 Carl Nobile [EMAIL PROTECTED]: Alex, Basic auth is sent with each end every request that needs authentication. You just add the proper headers in your request and it should all work. Now, something else to think about is that your browser will intercept the first auth request and pop up a window asking for username and password(cookie data), but you will have to write some JavaScript to do this for the user, since the user won't know what the cookie value is to be used for the password. If you do this for every request that needs authentication the process will all look seamless to the user. In other words you will have to intercept the browsers intercept. I've never done this myself, because most of what I do is for the programmable web (web services) that never sees a browser, but it shouldn't be all that difficult to do. See: http://www.peej.co.uk/articles/http-auth-with-html-forms.html I'm not sure about this whole idea of sticking some sort of cookie value in place of information in Basic authentication. There is an Apache module around somewhere that provides for handling session based login across applications in different languages with user authentication being in language of choice. I remember Paste or Authkit or something having some support for it. I cant remember the name of the module right now or find it, but if do will send on details. This one: http://www.openfusion.com.au/labs/mod_auth_tkt/ Graham -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- -- --- Carl J. Nobile (Software Engineer) [EMAIL PROTECTED] --- --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups modwsgi group. To post to this group, send email to modwsgi@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~--~~~~--~~--~--~---