Apache Mod-Python - Commented: (MODPYTHON-47) Digest Authorization header causes bad request error.

This is Interesting: Free IT Magazines  
Home > Archive > Apache Mod-Python > November 2005 > Commented: (MODPYTHON-47) Digest Authorization header causes bad request error.





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Commented: (MODPYTHON-47) Digest Authorization header causes bad request error.
Graham Dumpleton (JIRA)

2005-11-22, 8:47 pm

[ http://issues.apache.org/jira/brows...action_12358319 ]

Graham Dumpleton commented on MODPYTHON-47:
-------------------------------------------

As usual there is nearly always a way to fudge things. You could still use Apache HTTP digest authentication (managed by Apache) and still use mod_python.publisher by having an authenhandler() or earlier content handler which deleted the "Authorization" h
eader so that mod_python.publisher didn't find it and therefore didn't barf.

def authenhandler(req):

if req.headers_in.has_key("Authorization"):
del req.headers_in["Authorization"]

... etc.

I haven't tried this, but it should work.


> Digest Authorization header causes bad request error.
> -----------------------------------------------------
>
> Key: MODPYTHON-47
> URL: http://issues.apache.org/jira/browse/MODPYTHON-47
> Project: mod_python
> Type: Bug
> Components: publisher
> Versions: 3.1.4
> Reporter: Graham Dumpleton
> Priority: Minor

>
> If Apache is used to perform authentication, the Authorization header still gets
> passed through to mod_python.publisher. Unfortunately, mod_python.publisher
> authentication code in process_auth() will attempt to decode the contents of the
> Authorization header even if there are no __auth__ or __access__ hooks defined
> for authentication and access control within the published code itself.
> The consequence of this is that if Digest authentication is used for AuthType
> at level of Apache authentication, the process_auth() code will raise a bad request
> error as it assumes Authorization header is always in format for Basic authentication
> type and when it can't decode it, it raises an error.
> What should happen is that any decoding of Authorization should only be done
> if there is a __auth__ or __access__ hook that actually requires it. That way, if some
> one uses Digest authentication at Apache configuration file level, provided that no
> __auth__ or __access__ hooks are provided, there wouldn't be a problem.
> See:
> http://www.modpython.org/pipermail/...ril/017911.html
> http://www.modpython.org/pipermail/...ril/017912.html
> for additional information.

Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com