[mod_python] how to make fallback authentication

Graham Dumpleton grahamd at dscpl.com.au
Thu Feb 16 18:11:55 EST 2006

Unfortunately, to my mind, what would be the proper way of doing this
can't current be done in mod_python because it has some stuff missing
and doesn't process handlers for the authentication phase correctly. See:


One question while I think of a good suggestion, how are you setting
AuthType, AuthName and Requires directives to ensure that the mod_python
authenhandler is being run in the first place?


Tomasz Wlodek wrote ..
> Hello folks,
> I work on the following idea: We would like to authenticate users who come
> to our site in two steps. First we request them to show a valid
> certificate. If they can show one and the certificate DN is in our allowed
> user's list then we let them in.
> If they do not have a certificate, then we want them to perform
> authentication based on user id and password. We ask them for user id and
> pwd, compare it to what we keep in some database and let them in. (or
> not).
> The first part - identifying user's based on a certificate is already
> done. (Thanks to Graham and others who helped me to understand how to pass
> variables from mod_ssl to mod_python authentication handler!)
> Now comes the second part: what if the user has no certificate. We need
> to
> tell Apache to perform basic authentication.
> I thought about doing it in the following way: the authentication handler
> would check if user has a certificate. If yes, let him in, if not redirect
> the request to another web page which is located in a directory where
> .htaccess file requires basic authentication. This would force Apache to
> ask for user id and password, after that the request would be redirected
> back to the original site. At this point the req.user variable in request
> should be defined, which would be a sign to the handler that the user can
> be authenticated.
> This sounds very complex and I would like to hear from you if there is
> a
> simpler way of doing this. (I suspect that there is).
> Here is my authentication handler: I am not happy with it, and I am not
> sure if it will work, but I would like to hear from you if it can be done
> in a simpler way.
> from mod_python import apache
> from mod_python import util
> import _mp_mod_ssl
> import os
> def authenhandler(req):
>     # if the req.user variable has been defined, then user has been
>     # already authenticated elsewhere
>     # if not, then we authenticate him
>     if req.user!=None:
> 	 req.add_common_vars()
> 	 # get user's dn certificate
>   	 user_dn = _mp_mod_ssl.var_lookup(req,'SSL_CLIENT_S_DN')
> 	 # let us assume that we have a list of allowed dn's
>     	 if user_dn in ListOfApprovedDns:
> 		return apache.OK
>     	 else:
>  		# user has no DN
> 		# now we need to start password based authentication
>        		 # I will redirect the request to another site, which
> 		# is configured to perform basic authentication
>  		util.redirect(req,'http://....')
> 		# This other site performs basic authentication, and fills
> 		# req.user variable, then the request it is redirected
>                 # back to the
> 		# present site
>      else:
> 	# if we are here then the user has been already authenticated
>         return apache.OK
> Tomasz Wlodek                        | tel 631-344-7448
> Brookhaven Laboratory, Building 510M | fax 631-344-7616
> Upton NY 11973-5000                  |
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

More information about the Mod_python mailing list