|
Graham Dumpleton
grahamd at dscpl.com.au
Fri May 5 06:48:32 EDT 2006
On 24/04/2006, at 1:50 PM, Graham Dumpleton wrote:
> Jim Gallacher wrote ..
>> Ultimately however it seems to me there is a bug in mod_python.c
>> related
>> to the whole AuthAthoritative business. Consider the following code
>> pulled from the python_handler function. (mod_python.c line 1412
>> revision 396250):
>>
>> if (strcmp(phase, "PythonAuthenHandler") == 0) {
>> ... snip ...
>>
>> if (result == HTTP_UNAUTHORIZED)
>> {
>> if (! conf->authoritative)
>> result = DECLINED;
>>
>>
>> conf->authoritative is initialized to 1, but we don't have an Apache
>> directive to set the value. I wonder if the assumption was that
>> this was
>> set by AuthAuthoritative, or if it there was an oversight in not
>> adding
>> a new directive? Either way it's a bug. Mod_python should not concern
>> itself with AuthAuthoritative, as that is for use by mod_auth, so we
>> really need our on directive.
>>
>> As confirmation I modified python_handler to log conf-
>> >authoritative and
>> indeed it's value is unaffected by the AuthAthoritative setting.
>> In it's
>> current state, PythonAuthenHander will *always* be authoritative.
>>
>> Other mod_auth_* modules define their own authoritative
>> directives, for
>> example: AuthDBMAuthoritative, AuthLDAPAuthoritative,
>> AuthMySQLAuthoritative and Anonymous_Authoritative. Following the
>> most
>> common pattern I would suggest we add AuthPythonAuthoritative.
>>
>> This issue may also be important to
>> http://issues.apache.org/jira/browse/MODPYTHON-129
>
> I've noted the PythonAuthenHandler code in python_handler many
> times and
> although I need to go back and look at it again I have been thinking
> that that section of code may possibly be partly bogus and
> shouldn't be
> in there. The warning message about req.user not being set is possibly
> helpful, but why should mod_python be making a decision to change an
> unauthorized response back to a declined and why should it be
> generating
> a WWW-Authenticate header with an assumption that Basic authorisation
> is being used when it may well not be. What is going to happen if I
> write
> an authenhandler for Digest authentication and it returns
> unauthorised,
> mod_python will obliterate any WWW-Authenticate header I may have
> placed there specific to Digest authentication.
>
> Thus I don't necessarily think it is a case of amending it some
> way, it
> may be a case of obliterating it and make people do the correct thing
> in their handlers to begin with rather than providing a crutch to
> fix their
> omissions. This may mean adding means of calling further auth related
> functions through the req object if there is something missing now,
> such as access to ap_note_basic_auth_failure().
FWIW, my concerns about something being a bit wrong with the code are a
baseless in as much as ap_note_basic_auth_failure() only adds the header
is AuthType is set to Basic. Thus it cant obliterate a Digest header.
Still think mod_python shouldn't be doing any of this stuff anyway,
as the
handler should have been doing it in the first place.
Anyway, can remove this thread from my inbox now. :-)
Graham
|