Graham Dumpleton
grahamd at dscpl.com.au
Thu Apr 21 00:11:37 EDT 2005
On 21/04/2005, at 1:39 PM, Stephen Vermeulen wrote: > I am trying to use the publisher handler. I have a basic test using > mod_python working, but when I add > digest authentication to the directories on the web server it stops > working. I am not trying to handle the > authentication with mod_python, rather I'm letting apache do its thing. Probably could be regarded as a bug in mod_python.publisher. I will log a bug report if I truly determine that it is. Specifically it always triggers process_auth() for each request and it assumes that it is "Basic" authorisation mechanism. Ie., if not user and req.headers_in.has_key("Authorization"): try: s = req.headers_in["Authorization"][6:] s = base64.decodestring(s) user, passwd = s.split(":", 1) except: raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST What it probably should do is: if not user and req.headers_in.has_key("Authorization"): try: authtype,data = req.headers_in["Authorization"].split(None,1) if authtype != "Basic": ... log a warning perhaps ??? return realm,user,passwd s = req.headers_in["Authorization"][6:] s = base64.decodestring(s) user, passwd = s.split(":", 1) except: raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST Not sure what else you could do if not "Basic" and other authentication type is not supported besides silently return. The vampire::publisher module probably fares no better with this either as although I check for basic authentication, ie., # If authorisation credentials provided, determine if # it is an accepted scheme and if it is then extract # user and passwd. user = None passwd = None if req.headers_in.has_key("Authorization"): try: header = req.headers_in["Authorization"] scheme,credentials = header.split(" ",1) credentials = credentials.strip() scheme = scheme.lower() if scheme == "basic": credentials = base64.decodestring(credentials) user,passwd = string.split(credentials,":",1) else: raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST except: raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST I still return a bad request error if it isn't. If in Vampire you use vampire.Publisher() within the context of a basic content handler, in Vampire 1.6 you can disable the default login handler to avoid the problem. Wasn't intending to allow disabling of the login handler in vampire::publisher because mod_python.publisher didn't, but will have to cater for this issue somehow now I guess. One option may be to only try and do something with the "Authorization" header if it is found necessary that it is actually needed. Ie,. that there are __auth__ definitions actually present that need to be checked. Anyway, if you understand any of that ramble and you want to come to the dark side that is vampire::publisher, sure I can provide a quick fix which solves the problem for that. :-) Graham
|