[mod_python] Protecting Image-Directory's with PythonAccessHandler

Jim Gallacher jpg at jgassociates.ca
Fri Dec 22 09:17:10 EST 2006

Marcus Werner wrote:
> Hi everyone,
> I'm working on a Debian-Stable Box with mod_python 2.7.10 and Python
> 2.3 (yes I know its both 'stale', but I've got no choice) and I would
> like to know _how_ I can protect an images-directory with an 
> PythonAccessHandler together with my application-/session-based
> authentification. A bonus would be If I could decide access to specific
> images bases on user-permissions. 
> I know this is a tricky problem, and in PHP you would have to place the
> images somewhere inaccessible from the web and stream them through php
> to the client, after checking the credentials. If we assume mod_php is
> tuned to serve this fast the performance should be fair, but there is
> still a small performance-loss because the image is streamed
> through the PHP-Interpreter.
> Now mod_python seems to dodge this elegantly by introducing the
> AccessHandler, but so far I haven't been able to produce
> something like this, since the documentation regarding those special
> Handler is really sparse.
> If you want to attract more user you really need some examples
> regarding things wich are impossible, difficult or perfomance-costly 
> in other languages/frameworks.

Yes, but if we had more users we'd just get more demands for better 
documentation. ;)

> Especially for those Python*Handlers, you need _way_more_ examples, so
> it's obvious why,where and when to use those Handlers. They are a huge
> bonus, but regarding the documentation they haven't received the
> attention they deserve.
> I'm going to hold a 30-minutes presentation on mod_python 3 Weeks
> from now during a seminar about scripting-languages for Web-Engineering
> and  I would like to show at least _one_ convincing example why and
> where to use those _special_ handlers. So far I don't know what to tell
> my fellow students about thist part of mod_python. Afaik it seems like
> I'm the first guy ever doing a presentation about mod_python.

The documentation is an acknowledged weakness. Writing *good* 
documentation takes time, which is a resource we seem to be lacking 
right now. I definitely want to create a document which explains the 
apache processing phases. I may even try to throw together an 
rum-and-eggnog fueled document over the holidays. :)

> I'm going to set up a more recent version of mod_python on a private
> box tonight so if you have a solution/small example wich works on a more
> recent version of mod_python: fire away. 

Using the AccessHandler is dead easy. (Note that I've never used 
mod_python 2.x so I have no idea how well this will work there. 
Furthermore I'm using 3.3.0b.)

Stick the following in the directory you want to protect:

PythonAccessHandler foo

"""Restricts access to files with txt file extension"""

from mod_python import apache
import os

def accesshandler(req):
     req.log_error('accesshandler called for %s' % req.filename)
     if os.path.splitext(req.filename)[1] == '.txt':
         return apache.OK
         return apache.HTTP_FORBIDDEN

If you want to restrict access based on user credentials, you really 
should do it with PythonAuthzHandler. The authorization phase happens 
after the access phase and the authentication phase.

Unfortunately I need to speed out the door so I can't offer any further 
help right now. My presence on the mailing list will be spotty over the 
next couple of days.


More information about the Mod_python mailing list