[mod_python] Complicated GET configuration

Ian Clelland ian at veryfresh.com
Sat Aug 17 00:11:33 EST 2002

On Fri, Aug 16, 2002 at 08:12:01PM -0400, Hunter Matthews wrote:
> In this particular application, I don't think the authorization will
> work quite like that: 
> I don't get a user:password from a browser, this is an xmlrpc client
> that sends authentication/authorization information in custom HTTP
> headers. 
> If you are deciding to allow or deny access based just on the contents
> of headers, which Handler would you pick?
> In testing here, it appears that PythonHeaderParserHandler works - it
> can look at the headers in req.headers_in, and simply return apache.OK

Well, if you're not using standard HTTP authentication (specifically, if
you're not using the WWW-Authenticate and Authorization headers,) then
maybe the best handler to use would be a PythonAccessHandler. Access
control handlers are generally free to deny access to a resource based
on any criteria you want. They will usually return an apache.HTTP_FORBIDDEN
(403) if access is denied, but you can make it return whatever you want.

Technically, you are not supposed to return a 401 (Unauthorized) status
code unless you are also including a WWW-Authenticate header, but it
really comes down to doing what the client expects, especially if the
client is non-interactive.

> Again, wow. Thank you for deciphering this for me: this is my first
> mod_python app.

You're welcome -- I'm just glad I could be of help

<ian at veryfresh.com>

More information about the Mod_python mailing list