[mod_python] how to make fallback authentication

Tomasz Wlodek tomw at bnl.gov
Thu Feb 16 17:22:13 EST 2006

Hello folks,

I work on the following idea: We would like to authenticate users who come
to our site in two steps. First we request them to show a valid
certificate. If they can show one and the certificate DN is in our allowed
user's list then we let them in.

If they do not have a certificate, then we want them to perform
authentication based on user id and password. We ask them for user id and
pwd, compare it to what we keep in some database and let them in. (or

The first part - identifying user's based on a certificate is already
done. (Thanks to Graham and others who helped me to understand how to pass
variables from mod_ssl to mod_python authentication handler!)

Now comes the second part: what if the user has no certificate. We need to
tell Apache to perform basic authentication.

I thought about doing it in the following way: the authentication handler
would check if user has a certificate. If yes, let him in, if not redirect
the request to another web page which is located in a directory where
.htaccess file requires basic authentication. This would force Apache to
ask for user id and password, after that the request would be redirected
back to the original site. At this point the req.user variable in request
should be defined, which would be a sign to the handler that the user can
be authenticated.

This sounds very complex and I would like to hear from you if there is a
simpler way of doing this. (I suspect that there is).

Here is my authentication handler: I am not happy with it, and I am not
sure if it will work, but I would like to hear from you if it can be done
in a simpler way.

from mod_python import apache
from mod_python import util

import _mp_mod_ssl
import os

def authenhandler(req):
    # if the req.user variable has been defined, then user has been
    # already authenticated elsewhere
    # if not, then we authenticate him
    if req.user!=None:

	 # get user's dn certificate
  	 user_dn = _mp_mod_ssl.var_lookup(req,'SSL_CLIENT_S_DN')

	 # let us assume that we have a list of allowed dn's
    	 if user_dn in ListOfApprovedDns:
		return apache.OK
 		# user has no DN
		# now we need to start password based authentication
       		 # I will redirect the request to another site, which
		# is configured to perform basic authentication
		# This other site performs basic authentication, and fills
		# req.user variable, then the request it is redirected
                # back to the
		# present site
	# if we are here then the user has been already authenticated
        return apache.OK

Tomasz Wlodek                        | tel 631-344-7448
Brookhaven Laboratory, Building 510M | fax 631-344-7616
Upton NY 11973-5000                  |

More information about the Mod_python mailing list