Commented: (MODPYTHON-47) Digest Authorization header causes
Web Server forum
Back To The Forum Home!Search!Private Messaging System
Visit your User Control Panel!Register your FREE username now!Visit Our Calendar!View the Member List!Faqs!Search our Forums!

Web Server Talk Web Server Talk > Web Servers reviews > Apache Server configuration support > Apache Mod-Python > Commented: (MODPYTHON-47) Digest Authorization header causes




  Last Thread   Next Thread Next
  Show Printable Version Email this Page Subscribe to this Thread      Post New Thread    Post A Reply      

    Commented: (MODPYTHON-47) Digest Authorization header causes  
Graham Dumpleton (JIRA)


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
02-14-06 01:45 AM

[ http://issues.apache.org/jira/brows...2366
265 ]

Graham Dumpleton commented on MODPYTHON-47:
-------------------------------------------

The simplest way of fixing this problem may be that after changes related to
 MODPYTHON-124 are made that the publisher simply not try and authenticate u
sers if req.ap_auth_type is not None.

In other words, if AuthType directive has been defined assume that something
 else is handling authentication and that publisher doesn't have to worry ab
out it. This will mean publisher will not redundantly decode authorisation h
eader if AuthType was Basic
and was being handled explicitly by mod_auth in Apache and outside of the pu
blisher.

Thus, insert at start of process_auth():

if req.ap_auth_type:
return realm, user, passwd

> Digest Authorization header causes bad request error.
> -----------------------------------------------------
>
>          Key: MODPYTHON-47
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-47
>      Project: mod_python
>         Type: Bug
>   Components: publisher
>     Versions: 3.1.4
>     Reporter: Graham Dumpleton
>     Priority: Minor

>
> If Apache is used to perform authentication, the Authorization header stil
l gets
> passed through to mod_python.publisher. Unfortunately, mod_python.publishe
r
> authentication code in process_auth() will attempt to decode the contents 
of the
> Authorization header even if there are no __auth__ or __access__ hooks def
ined
> for authentication and access control within the published code itself.
> The consequence of this is that if Digest authentication is used for AuthT
ype
> at level of Apache authentication, the process_auth() code will raise a ba
d request
> error as it assumes Authorization header is always in format for Basic aut
hentication
> type and when it can't decode it, it raises an error.
> What should happen is that any decoding of Authorization should only be do
ne
> if there is a __auth__ or __access__ hook that actually requires it. That 
way, if some
> one uses Digest authentication at Apache configuration file level, provide
d that no
> __auth__ or __access__ hooks are provided, there wouldn't be a problem.
> See:
>   http://www.modpython.org/pipermail/...ril/017911.html
>   http://www.modpython.org/pipermail/...ril/017912.html
> for additional information.




[ Post a follow-up to this message ]



    Sponsored Links  




 



   All times are GMT. The time now is 02:37 PM.      Post New Thread    Post A Reply      
  Last Thread   Next Thread Next


Most Popular forums 
Apache Server MySQL for Windows Sendmail
Red Hat Networking SuSe Linux Debian Linux
FreeBSD administration Sun Solaris administration Unix Shell programming
WebSphere Portal Server Exchange 2000 administration PostgreSQL administration
Linux Security Computer Security Firewalls

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
 
Medical and Health forum | Computer Games Reviews | Graphics design forum

Back To The Top
Home | Usercp | Faq | Register