@Austin, did you try to set CGI/WSGI variables by using SetEnv and PassEnv directives inside your apache configuration? IMHO that would make things cleaner than modifying the x509 module.
mic 2015-03-12 15:10 GMT+01:00 LoveWeb2py <[email protected]>: > @dps - I agree comments should be added. I'll put together a detailed > description of the configuration changes I had to make and the modification > needed in x509 auth to get it to work. > > -Austin > > > On Wednesday, March 11, 2015 at 1:56:58 PM UTC-4, Dave S wrote: >> >> >> >> On Wednesday, March 11, 2015 at 6:50:28 AM UTC-7, mcm wrote: >>> >>> If you do not have the email you can use the registration_id and >>> username fields. >>> Most details are on the book: http://web2py.com/books/ >>> default/chapter/29/09/access-control >>> >> >> Would it be appropriate to add some of the comments above into the >> deployment recipe chapter >> (#13 , <URL:http://www.web2py.com/books/default/chapter/29/13/ >> deployment-recipes#Apache-setup> >> since the X509 section in your link ends with >> In particular you need to tell your web server where the certificates are >> located on local host and that it needs to verify certificates coming from >> the clients. How to do it is web server dependent and therefore omitted >> here. >> >> >> /dps >> >> >>> 2015-03-11 14:08 GMT+01:00 Michele Comitini <[email protected]>: >>> >>>> You can read any of the fields a certificate contains eventually. >>>> see here for some ideas: https://code.google.com/p/simpatica/ >>>> >>>> It's a working PKI that allows to generate csr and sign them with a >>>> valid signin certificate >>>> >>>> 2015-03-11 13:48 GMT+01:00 LoveWeb2py <[email protected]>: >>>> >>>>> Once authentication happens how can I make them members of groups. I >>>>> notice now they don't have an entry in Auth user. Should I have them >>>>> register first and once they're reigstered they can use PKI >>>>> authentication? >>>>> This is uncharted waters for me so I'm trying to figure out the best >>>>> approach for it. >>>>> >>>>> On Wednesday, March 11, 2015 at 8:05:48 AM UTC-4, mcm wrote: >>>>>> >>>>>> I am glad someone is using x509 Auth, it is a very simple way to >>>>>> handle user security, >>>>>> >>>>>> One important piece of the puzzle (with apache) is: >>>>>> >>>>>> SSLVerifyClient optional >>>>>> >>>>>> The optional allows one to accept any user on the website, while >>>>>> having some web2py actions require a valid user certificate >>>>>> just by adding the standard @auth.requires_login() >>>>>> >>>>>> ## Client Authentication (Type): >>>>>> # Client certificate verification type and depth. Types are >>>>>> none, optional, >>>>>> # require and optional_no_ca. Depth is a number which >>>>>> specifies how deeply >>>>>> # to verify the certificate issuer chain before deciding the >>>>>> certificate is >>>>>> # not valid. >>>>>> #SSLVerifyClient require >>>>>> #SSLVerifyDepth 10 >>>>>> >>>>>> >>>>>> 2015-03-11 12:27 GMT+01:00 LoveWeb2py <[email protected]>: >>>>>> >>>>>>> Those are exactly the two I don't have so far from the list I saw in >>>>>>> another post I have: >>>>>>> >>>>>>> SSL_CIPHER, SSL_CLIENT_I_DN, SSL_CLIENT_CERT, SSL_CLIENT_VERIFY >>>>>>> >>>>>>> The following are not being passed (probably a problem with my >>>>>>> ssl.conf: >>>>>>> SSL_CLIENT_RAW_CERT, SSL_SESSION_ID, SSL_CLIENT_SERIAL >>>>>>> >>>>>>> Almost there! :) I'll post the fix when I find it >>>>>>> >>>>>>> >>>>>>> On Tuesday, March 10, 2015 at 7:56:45 PM UTC-4, Niphlod wrote: >>>>>>>> >>>>>>>> debug it, debug it, debug it. >>>>>>>> >>>>>>>> AFAICS, x509_auth.py requires: >>>>>>>> >>>>>>>> ssl_client_raw_cert >>>>>>>> optional ssl_client_serial >>>>>>>> >>>>>>>> On Wednesday, March 11, 2015 at 12:04:51 AM UTC+1, LoveWeb2py wrote: >>>>>>>>> >>>>>>>>> so I did {{=request.env}} and I can see the SSL DATA certificate >>>>>>>>> in another app, but for some reason the app that requires the data >>>>>>>>> isn't >>>>>>>>> being passed. Going to keep troubleshooting that app because I really >>>>>>>>> want >>>>>>>>> to use the x509 authentication with web2py!! >>>>>>>>> >>>>>>>>> for some reason the x509 auth isn't working still. Going to keep >>>>>>>>> pressing and will post a fix when I find it. Thank you so much for >>>>>>>>> your >>>>>>>>> help Niphlod. I hope this helps others in the future! >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tuesday, March 10, 2015 at 6:40:29 PM UTC-4, Niphlod wrote: >>>>>>>>>> >>>>>>>>>> what if you return somewhere this dict (takes the "SSL*" env >>>>>>>>>> variables and prints it) >>>>>>>>>> >>>>>>>>>> def yourcode(): >>>>>>>>>> ......... >>>>>>>>>> debug_values = {} >>>>>>>>>> for k, v in request.env.iteritems(): >>>>>>>>>> if k.lower().startswith('ssl'): >>>>>>>>>> debug_values[k] = v >>>>>>>>>> ......... >>>>>>>>>> return dict(........., debug_values=debug_values) >>>>>>>>>> >>>>>>>>>> just to see if those gets indeed passed along. >>>>>>>>>> >>>>>>>>>> -- >>>>>>> Resources: >>>>>>> - http://web2py.com >>>>>>> - http://web2py.com/book (Documentation) >>>>>>> - http://github.com/web2py/web2py (Source code) >>>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "web2py-users" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> -- >>>>> Resources: >>>>> - http://web2py.com >>>>> - http://web2py.com/book (Documentation) >>>>> - http://github.com/web2py/web2py (Source code) >>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "web2py-users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> >>> -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
