|
Ian Clelland
ian at veryfresh.com
Sat Aug 17 00:11:33 EST 2002
On Fri, Aug 16, 2002 at 08:12:01PM -0400, Hunter Matthews wrote: > In this particular application, I don't think the authorization will > work quite like that: > > I don't get a user:password from a browser, this is an xmlrpc client > that sends authentication/authorization information in custom HTTP > headers. > > If you are deciding to allow or deny access based just on the contents > of headers, which Handler would you pick? > > In testing here, it appears that PythonHeaderParserHandler works - it > can look at the headers in req.headers_in, and simply return apache.OK > or apache.HTTP_UNAUTHORIZED. Well, if you're not using standard HTTP authentication (specifically, if you're not using the WWW-Authenticate and Authorization headers,) then maybe the best handler to use would be a PythonAccessHandler. Access control handlers are generally free to deny access to a resource based on any criteria you want. They will usually return an apache.HTTP_FORBIDDEN (403) if access is denied, but you can make it return whatever you want. Technically, you are not supposed to return a 401 (Unauthorized) status code unless you are also including a WWW-Authenticate header, but it really comes down to doing what the client expects, especially if the client is non-interactive. > Again, wow. Thank you for deciphering this for me: this is my first > mod_python app. You're welcome -- I'm just glad I could be of help Ian <ian at veryfresh.com>
|