[mod_python] Chaining handlers

David Champion dgc at uchicago.edu
Thu Mar 20 15:26:19 EDT 2008

> The access, authentication and authorisation handler phases are:
>   http://www.modpython.org/live/current/doc-html/dir-handlers-ach.html
>   http://www.modpython.org/live/current/doc-html/dir-handlers-auh.html
>   http://www.modpython.org/live/current/doc-html/dir-handlers-auzh.html
> To get some context also see:
>   http://www.fmc-modeling.org/category/projects/apache/amp/4_4Request_Response_Loop.html

I did read those sections of the mod_python manual.  I also just looked
at the response loop document, and all seem to agree that under various
circumstances (depending on which handler phase you're in) returning OK
or DECLINED should pass the request to the next handler.

My code does this, but no matter which phase I've tried (access, auth,
headers, fixup, and more) the most I can get is my CGI served as a
static text/plain file.  Could it be a matter of priority?  It seems
that I'm able to position a C module first in the handler stack; maybe
that's why it works (see end).

> Although authentication phase handler is mainly used for HTTP Basic
> authentication, it can be adapted for use in form based login
> mechanism. It is a bit more tricky to do though.

It doesn't seem any different from trying to accomplish authN in some
other phase, but I might be missing something.  Anyway I'm getting the
same results from all phases.

> If you can find a separate Apache module that handles the concept of
> form based login but can use an Apache 2.2 auth provider, then
> mod_wsgi could still be used.

I haven't used WSGI before, but it might be worth a look sometime.

For now, I have the C module working just about perfectly.  It's too bad
I can't get it working in mod_python though, since it would allow me to
share the python module my CGI uses to build the security tokens.

> Also go to http://books.google.com and plug in search term of
> 'authn_cookie'. This should yield snippet of Nick Kew's book on
> writing Apache modules. Read it as well as surrounding pages.

Thanks for this.  I didn't know about this book, but it looks like a
good resource.  I haven't found ORA's "Writing Apache Modules with Perl
and C" all that helpful, but it's possible I'm too distracted by my
distaste for perl. :)

This doesn't bear directly on my problem, but it might be interesting
nonetheless: what I have already is a python module called HashCookie.py
which takes arbitrary dictionary values from its client and hashes them
together with current and expiration time values and a shared secret.
It passes the dictionary data (excluding the shared secret) as the
HC_DATA cookie, and the md5 or sha1 hash as HC_HASH.

I'm nearly finished with mod_hashcookie, which is the C version of the
server side which I had included in HashCookie.py.  It evaluates these
cookies, taking the shared secret from its Apache configuration.  If
the cookies are not present or do not hash correctly, it redirects to
an authN URL -- a CGI that uses HashCookie.py to construct cookies and
redirect back to the original resource.  If the hashes compare, the
timestamps are checked to ensure that the cookies are still valid.  And
if that passes, then the document is served.  This seems to be working
exactly as desired in its core functionality.

Thanks for your help.  I wrote the C version to verify that I knew
what I was doing and that it was conceptually workable.  If I can figure
out how to make the mod_python version work, I'm still interested, but
mod_hashcookie should solve it if not.

 -D.    dgc at uchicago.edu    NSIT    University of Chicago

More information about the Mod_python mailing list