[mod_python] PythonAuthenHandler issues

The reason it doesn't work is technically because the
authentication/authorisation phases have been pushed into a single
authentication handler when it should be split between a separate
authentication and authorisation handlers.

To be more specific, the authentication handler should only do
something if req.auth_type() returns the type of authentication type
it is meant to handle, it should then only be checking that the
login/password is correct and if it is setting req.user to be the
username and setting req.ap_auth_type to the authentication type
scheme. The latter can usually just be set to the value returned from
calling req.auth_type(). Setting req.user and req.ap_auth_type is
technically required to indicate to latter phases that authentication
was successful.

A separate authorisation handler should then process req.requires()
but if it doesn't find any requires values pertinent to it, it should
return apache.DECLINED. By returning apache.DECLINED it allows the
builting authorisation handler to still run and honour vaue such as
'valid-user'.

In short, it fails because you aren't supplying a authorisation
handler and as a result it is still running the default authorisation
handler which fails because there is no group file for it to run.

That it is all wrong is not your fault as the Django example is wrong
in the first place and technically it isn't possible to do it
completely correctly unless using mod_python 3.3 or later.

So, suggest you first split out authentication into its own handler
and get it working. Post that here and I will tell you the bits that
may be missing to make it completely correct. Then we can move onto
separate authorisation handler.

BTW, I assume you are using mod_python 3.3.1?

Graham

On 23/07/07, Brad Anderson <brad at sankatygroup.com> wrote:
> Jim Gallacher wrote:
> > Hi Brad,
> >
> > It's been awhile since I've messed with aaa, but I may have a spark of
> > an idea.
> >
> > Brad Anderson wrote:
> >> Hi,
> >>
> >> I'm trying to tie into Django's auth subsystem for http authn/authz in
> >> front of Subversion, as seen here:
> >> http://www.djangoproject.com/documentation/apache_auth/
> >>
> >> So, my Apache 2.0.59 conf looks like this (with some mod_macro voodoo):
> >>
> >> #####################################################################
> >>
> >> <Macro ProjectClosed $PROJ>
> >>  <Location /projects/$PROJ>
> >>   DAV svn
> >>   SVNPath /var/svn/$PROJ
> >>   AuthType Basic
> >
> > Try changing your AuthType to something else. Heck, you could even use:
> >
> > AuthType somethingelse
> >
> > but you'll likely want something a little clearer - dsource-auth might
> > be a good choice. You can retrieve this string in your handler with
> > req.auth_type(). Likewise req.auth_name() will get you the AuthName
> > setting.
> >
> > As I recall the AuthType Basic will cause the default authentication
> > mechanism to fire, and that's the thing that is generating the "couldn't
> > check access.  No groups file?" verbiage in your log.
>
> Changed AuthType to dsource-auth, and no dice.
>
> I received this when trying 'svn up':
> > svn up
> svn: PROPFIND request failed on '/projects/test'
> svn: PROPFIND of '/projects/test': 401 Authorization Required
> (http://local.svn.dsource.org)
>
> and nothing was written in error_log, making me think the handler was
> bypassed completely.  :(
>
> BA
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
>