|
Graham Dumpleton
grahamd at dscpl.com.au
Thu Apr 21 00:11:37 EDT 2005
On 21/04/2005, at 1:39 PM, Stephen Vermeulen wrote:
> I am trying to use the publisher handler. I have a basic test using
> mod_python working, but when I add
> digest authentication to the directories on the web server it stops
> working. I am not trying to handle the
> authentication with mod_python, rather I'm letting apache do its thing.
Probably could be regarded as a bug in mod_python.publisher. I
will log a bug report if I truly determine that it is.
Specifically it always triggers process_auth() for each request
and it assumes that it is "Basic" authorisation mechanism. Ie.,
if not user and req.headers_in.has_key("Authorization"):
try:
s = req.headers_in["Authorization"][6:]
s = base64.decodestring(s)
user, passwd = s.split(":", 1)
except:
raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST
What it probably should do is:
if not user and req.headers_in.has_key("Authorization"):
try:
authtype,data =
req.headers_in["Authorization"].split(None,1)
if authtype != "Basic":
... log a warning perhaps ???
return realm,user,passwd
s = req.headers_in["Authorization"][6:]
s = base64.decodestring(s)
user, passwd = s.split(":", 1)
except:
raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST
Not sure what else you could do if not "Basic" and other authentication
type is not supported besides silently return.
The vampire::publisher module probably fares no better with this either
as although I check for basic authentication, ie.,
# If authorisation credentials provided, determine if
# it is an accepted scheme and if it is then extract
# user and passwd.
user = None
passwd = None
if req.headers_in.has_key("Authorization"):
try:
header = req.headers_in["Authorization"]
scheme,credentials = header.split(" ",1)
credentials = credentials.strip()
scheme = scheme.lower()
if scheme == "basic":
credentials = base64.decodestring(credentials)
user,passwd = string.split(credentials,":",1)
else:
raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST
except:
raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST
I still return a bad request error if it isn't.
If in Vampire you use vampire.Publisher() within the context of a basic
content handler, in Vampire 1.6 you can disable the default login
handler
to avoid the problem. Wasn't intending to allow disabling of the login
handler in vampire::publisher because mod_python.publisher didn't, but
will have to cater for this issue somehow now I guess. One option may
be to only try and do something with the "Authorization" header if it is
found necessary that it is actually needed. Ie,. that there are __auth__
definitions actually present that need to be checked.
Anyway, if you understand any of that ramble and you want to come to
the dark side that is vampire::publisher, sure I can provide a quick
fix which solves the problem for that. :-)
Graham
|