[ https://issues.apache.org/jira/brow...action_12503329 ]

Paul Jongsma commented on MODPYTHON-169:
----------------------------------------

Using this patch with the PythonPath option in the Apache configuration seem
s to give a problem.
As soon as you add a PythonPath setting to the server config any request fai
ls with:

File "/usr/local/lib/python2.4/site-packages/mod_python/apache.py", line 331
, in AuthBasicDispatch\n    if pathstring != _path:
NameError: global name '_path' is not defined

Adding a global _path to apache.py resolves this issue;

# Cache for values of PythonPath that have been seen already.
_path = {}
_path_cache = {}
_path_cache_lock = threading.Lock()

However I have not enough knowledge on mod_python to know if this is the cor
rect way to resolve this issue.

Platform info: Python 2.4.4 (#2, Mar 28 2007, 20:09:38)  on FreeBSD 6.2-STAB
LE FreeBSD 6.2-STABLE #5
Server version: Apache/2.2.4 (Unix)






> Add feature to allow mod_python to be an auth provider.
> -------------------------------------------------------
>
>                 Key: MODPYTHON-169
>                 URL: https://issues.apache.org/jira/browse/MODPYTHON-169
>             Project: mod_python
>          Issue Type: New Feature
>          Components: core
>            Reporter: Graham Dumpleton
>            Assignee: Graham Dumpleton
>         Attachments: add-authenticator.patch
>
>
> In Apache 2.2, the implementation of authentication has been split into two parts.
 The first is that which handles the specifics of negotiating with a client for a sp
ecific authentication mechanism type, for example, Basic or Digest authentication. T
he
second part is that which handles the specifics of verifying the actual users credentials, f
or example, by looking the user up in a dbm database, ldap or some other type of user databa
se.
> The second part of this is referred to as the auth provider and in Apache 2.2 it i
s possible to hook in additional providers. This means that the any builtin support 
in Apache for Basic and Digest authentication mechanism can be used, but the verific
ati
on could be done by some arbitrary user code. Such verification could be done in Python, if 
mod_python allowed one to define the necessary auth provider hooks.
> To this end, proposed that mod_python be extended such that when using Apa
che 2.2, that it is possible to say:
>   AuthType Basic
>   AuthName "Restricted Files"
>   AuthBasicProvider mod_python
>   PythonAuthBasicProvider somemodule
> or:
>   AuthType Digest
>   AuthName "Restricted Files"
>   AuthDigestProvider mod_python
>   PythonAuthDigestProvider somemodule
> That is, by specifying mod_python in conjunction with AuthBasicProvider  or AuthDi
gestProvider directives, it triggers mod_python to be given option of satisfying nee
d to perform verification of user credentials. The function to be called for each be
ing
given by the PythonAuthBasicProvider and PythonAuthDigestProvider respectively.
> The argument to these directives would be a module name, in which case a function 
of the name "authbasicprovider" or "authdigestprovider" will be expected to exist. I
f wanting to specify a particular module, like in handler directives, would also be 
pos
sible to say:
>   PythonAuthBasicProvider somemodule::check_password
>   PythonAuthDigestProvider somemodule::get_realm_hash
> Note that the prototype of the function for each would not be like existin
g handlers and is different in each case. For the Basic auth mechanism, an e
xample function would be:
>   users = { ... }
>   def authbasicprovider(req, user, password):
>     # could consult req.auth_name() to get realm
>     if user not in users:
>       return apache.AUTH_USER_NOT_FOUND
>     # assuming passwords are stored in clear text
>     if users[user] != password:
>       return apache.AUTH_DENIED
>   return apache.AUTH_GRANTED
> Exceptions would be translated into apache.AUTH_GENERAL_ERROR, or function
 could explicitly return it. Could also allow explicit exception of type apa
che.SERVER_RETURN like in handlers but where argument is auth values.
> For Digest authentication, function would be:
>   def authdigestprovider(req, user, realm):
>     # could select database based on 'realm'
>     if user not in users:
>       return None
>     # assuming passwords are stored in clear text
>     return md5.new("%s:%s:%s" % (user, realm, users[user])).hexdigest(
)
> In this later function, return None indicates apache.AUTH_USER_NOT_FOUND. An apach
e.SERVER_RETURN exception could also be used with that value as argument. Returning 
of an actual string would imply apache.AUTH_USER_FOUND. Unexpected exceptions taken 
as
apache.AUTH_GENERAL_ERROR, or could be raised explicitly using apache.SERVER_RETURN exceptio
n.
> What all this would mean is that you would never need to write an authenhandler ag
ain using mod_python, as you could rely on any type of authenhandler builtin to Apac
he or as as supported by some third party Apache module. All you would need to do is
 su
pply the auth provider or Basic or Digest authentication as necessary to support verificatio
n of the user.
>

[ Post a follow-up to this message ]