| Graham Dumpleton (JIRA) 2006-02-19, 8:21 am |
| [ http://issues.apache.org/jira/brows...action_12366954 ]
Graham Dumpleton commented on MODPYTHON-124:
--------------------------------------------
Whoops, stuffed up what the names should be. They should be:
req.auth_name()
req.auth_type()
If "get_" prefix is used, breaks with existing convention as to how names in request object map to Apache API functions. Thus:
def authenhandler(req):
if req.auth_type() != "Python-Basic-DBM":
return apache.DECLINED
realm = req.auth_name()
# Do all the processing of Authorization header and
# validate user etc. If not okay, return appropriate error
# status. If okay, keep going.
req.user = ... from header
req.ap_auth_type = "Python-Basic-DBM"
return apache.OK
> Improvements associated with the req.ap_auth_type attribute.
> ------------------------------------------------------------
>
> Key: MODPYTHON-124
> URL: http://issues.apache.org/jira/browse/MODPYTHON-124
> Project: mod_python
> Type: Improvement
> Components: core
> Versions: 3.3
> Reporter: Graham Dumpleton
>
> The "req.ap_auth_type" attribute is set to the authentication type corresponding to the type of authentication processing successfully carried out in respect of a request. For example, if one has Apache configuration:
> AuthType Basic
> AuthName "Restricted Files"
> AuthUserFile /usr/local/apache/passwd/passwords
> Require valid-user
> it is expected that the request uses basic authentication header as appropriate. These headers will be dealt with by inbuilt Apache core module. Upon successful authentication, the Apache core module will set "req.ap_auth_type" attribute to be "Basic" a
nd set "req.user" to the user ID of the logged in user.
> If instead Apache support for digest authentication was used, eg:
> AuthType Digest
> ...
> then "req.ap_auth_type" attribute will be set to "Digest".
> If authentication was not requested, ie., no AuthType directive, the "req.ap_auth_type" is set to Python None.
> The intent is that you should be able to implement authentication handlers in mod_python using PythonAuthenHandler, but you can't actually do this correctly at the moment as there are a few things missing.
> Firstly, in order to trigger the PythonAuthenHandler, you must still define the AuthType/AuthName/Require directives. In order to ensure that our authentication handler is triggered and not the builtin ones or some other one, the AuthType directive shou
ld specify a string other than "Basic" or "Digest". This would be a name we choose and can basically be anything. For example, you might choose a descriptive name like "Python-Basic-DBM" to denote basic authentication is used against a DBM database but us
ing the Python authentication handler.
> AuthType Python-Basic-DBM
> AuthName "Web Application"
> Require valid-user
> PythonAuthenHandler basicdbmauth
> PythonOption basicdbmauth.UserDatabase /.../users.dbm
> When the authentication handler in "basicdbmauth" is called, the "req.ap_auth_type" field is still None. This is because authentication hasn't succeed yet.
> In terms of being able to implement the authentication handler correctly, the first problem is that there is no way to access the actual value associated with the AuthType directive. This needs to be consulted to determine if the authentication handler
should actually do anything. Second is that the value associated with the AuthName directive can't be determined either, something which may influence against which database authentication should be done.
> Thus first lot of changes that need to be made are that "req" object needs to have two new methods called "get_auth_type()" and "get_auth_name()". These will map to the Apache API functions called "ap_auth_type()" and "ap_auth_name()". Note that "ap_aut
h_type()" is returning a different value to "req.ap_auth_type".
> With those two functions, authentication handler can then be written as:
> def authenhandler(req):
> if req.get_auth_type() != "Python-Basic-DBM":
> return apache.DECLINED
> realm = req.get_auth_name()
> # Do all the processing of Authorization header and
> # validate user etc. If not okay, return appropriate error
> # status. If okay, keep going.
> req.user = ... from header
> req.ap_auth_type = "Python-Basic-DBM"
> return apache.OK
> As well as returning apache.OK, convention is to set "req.user" and "req.ap_auth_type".
> This is where the final problem occurs. That is that "req.ap_auth_type" is read only and cannot actually be set as necessary.
> Thus in addition to "req.get_auth_type()", "req.get_auth_name()", need to make "req.ap_auth_type" writable.
> Having made these changes it would then actually be possible to write authentication handlers correctly, ie., whereby they correctly look at AuthType etc to see whether they should be applied.
|