[mod_python] Access checking against another path

Roger Binns rogerb at rogerbinns.com
Tue May 1 13:08:01 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Graham Dumpleton wrote:
> To say ldap is only referring to the auth provider, not what HTTP
> authentication mechanism is being used. Two that Apache understands
> are Basic and Digest.

As well as NTLM which does challenge response on the connection.

> Except that that will not work. The problem is that AuthType and
> AuthName wouldn't be set for /admin if you only use them on /api, so
> the web browser wouldn't normally even send the authentication
> information through for /admin URL. Thus there isn't going to be any
> auth information to pass through to a sub request.

That is correct.  I expected to manually copy the status and response
headers from /api into responses from /admin if no authentication
information was present which would then cause the browser to prompt for
and send credentials.

> BTW, looking at Apache APIs the call that may have allowed you to do
> subrequests and incorporate output within a parent page is:
> 
>  ap_run_sub_req()

I only found 1.3 doc for that API but that definitely looks like the
right thing in concert with ap_sub_req_lookup_uri() to make the "sub"
request.

> Even if exposed in mod_python it would still not help given that you
> wouldn't have the auth information available for /admin URL to pass
> through.

That is the easy bit :-)  Just copying the authentication response
headers from /api will do the trick.

For the moment I am resigned to using urllib2 to create a new request
and copying headers into/out of that (effectively using it as an
alternative to ap_sub_req_lookup_uri/ap_run_sub_req).

Roger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGN3PxmOOfHg372QQRAtDZAKDkwgKKF0gOE3gR+NUUr+1gVgt+dQCgnVfx
XfFBt35d/y4qJavt2RVKoz8=
=TlvJ
-----END PGP SIGNATURE-----


More information about the Mod_python mailing list