[mod_python] mod_python session/form based user authentication

Graham Dumpleton graham.dumpleton at gmail.com
Sun Mar 29 23:16:58 EDT 2009


2009/3/30 bruce bushby <bruce.bushby at googlemail.com>:
> Hi Graeme
>
> Thanks for the feedback. The issue I've been stuck with ( for 3 months now)
> is how to prevent the "browser pop-up"  user/password dialog box.
> I've tried so many combinations, but every time I have "AuthType
> Basic/Require valid-user" set, the browser pops up the login dialog box but
> I want
> "html form login/authentication"

Try setting:

  AuthBasicAuthoritative Off

in Apache configuration.

But then, if you aren't setting AuthType to be Basic, this shouldn't
be an issue.

> req.user = "nobody" was set as a place holder because without it I get:
>   [ req->user is NULL. Assign something to req.user if returning OK to avoid
> this error ]

Even as a place holder, didn't need to be set in all cases and could
cause an issue if there were multiple authentication handlers being
executed.

> I've just tried the following:
> AuthType session
> AuthName "members"
> Require valid-session

The Require isn't much point if you haven't written an authorization
handler that understands valid-session.

> ...and it works......but only if I "set req.user = nobody" as a temp place
> holder...or I get the req->user is NULL error
>
>
> I'll admit I don't have a clue....I got this far by trial and error, which
> is not very efficient.....I'm waiting for your book ...hint hint :))

I will not be writing a book on mod_python. IMHO mod_python is dying
and the quicker people stop using it and shift to WSGI based Python
web applications the better.

The only problem in saying that is the alternatives don't support
writing Apache input/output filters nor custom session based
authetication/authorisation schemes that cover multiple applications.
The latter though will be supported in Apache 2.4 though through
mod_session, so no need to be fiddling within using mod_python at that
point. You could also right now just use:

  http://www.openfusion.com.au/labs/mod_auth_tkt/

> Is there a secret to prevent the "browser password pop-up box" and redirect
> to a html login page? I've spent 3 months
> googling and can't find a simple example.

For a working form/session based authentication handler, that is that
I presume it still works, see:

  http://www.modpython.org/pipermail/mod_python/2006-May/021172.html

The correct attachment address is:

  http://www.modpython.org/pipermail/mod_python/attachments/20060520/813620d0/sessionmanager.tar.gz

See the .htaccess file as to how it all ties together. The _session.py
file is also extensively documented.

Graham

>
> Thanks again
> Bruce
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Sun, Mar 29, 2009 at 11:23 PM, Graham Dumpleton
> <graham.dumpleton at gmail.com> wrote:
>>
>> 2009/3/29 bruce bushby <bruce.bushby at googlemail.com>:
>> > Hi
>> >
>> > I've been struggling to implement form based user authentication for
>> > some
>> > time now so I'm posting my progress in the hope that
>> > more experienced members will comment and any new starters will save
>> > themselves some time.
>> >
>> > A big thanks to John Calixto for getting back to me and suggesting
>> > "AuthType
>> > wgtiauth" and "Require wgti-user"
>> >
>> >
>> > The example works as follows:
>> > - Attempt to access the protected area gets intercepted by
>> > authenhandler, if
>> > not authorized redirect to login, if login successful, continue to
>> > original
>> > url.
>> >
>> > ...
>> >
>> > def authenhandler(req):
>> >         req.user = "nobody"
>> >         req.session = Session.DbmSession(req)
>> >
>> >         if req.session.is_new():
>> >                 req.session['referer'] = "http://mysite" +
>> > req.unparsed_uri
>> >                 req.session.save()
>> >                 util.redirect(req,"http://mysite/login")
>> >
>> >         if req.session.has_key('authstatus') and
>> > req.session['authstatus']
>> > == "authenticated":
>> >                 return apache.OK
>> >
>> >         return apache.HTTP_UNAUTHORIZED
>>
>> Technically this is incorrect/incomplete.
>>
>> 1. An authentication handler should be checking whether it is the
>> handler that should run for the AuthType used. Thus should have the
>> following check as first thing done:
>>
>>  if req.auth_type() != 'wgtiauth':
>>    return apache.DECLINED
>>
>> 2. If the authentication handler successfully authenticated user, only
>> then should it be setting req.user. It should not be doing it all the
>> time even if authentication failed. It is not technically a good idea
>> to be setting it to 'nobody' and it should really be the actual user
>> name. That way you can then use other Apache directives such as
>> 'Require user'.
>>
>> 3. If the authentication handler was successful, it should be setting
>> req.ap_auth_type to be the authentication type.
>>
>>  req.ap_auth_type = req.auth_type()
>>
>> > def authzhandler(req):
>> >         if req.user:
>> >                 return apache.OK
>> >
>> >         return apache.HTTP_UNAUTHORIZED
>>
>> Your whole authorisation handler is not needed, so get rid of:
>>
>>                Require wgti-user
>>                PythonAuthzHandler authsession
>>
>> and replace it with:
>>
>>                Require valid-user
>>
>> As I said before though, you should only be setting req.user if user
>> authenticated properly.
>>
>> Graham
>
>



More information about the Mod_python mailing list