[mod_python] Attempting to use mod_python on a site which uses digest autentication

Graham Dumpleton grahamd at dscpl.com.au
Thu Apr 21 00:11:37 EDT 2005


On 21/04/2005, at 1:39 PM, Stephen Vermeulen wrote:

> I am trying to use the publisher handler. I have a basic test using 
> mod_python working, but when I add
> digest authentication to the directories on the web server it stops 
> working. I am not trying to handle the
> authentication with mod_python, rather I'm letting apache do its thing.

Probably could be regarded as a bug in mod_python.publisher. I
will log a bug report if I truly determine that it is.

Specifically it always triggers process_auth() for each request
and it assumes that it is "Basic" authorisation mechanism. Ie.,

     if not user and req.headers_in.has_key("Authorization"):
         try:
             s = req.headers_in["Authorization"][6:]
             s = base64.decodestring(s)
             user, passwd = s.split(":", 1)
         except:
             raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST

What it probably should do is:

     if not user and req.headers_in.has_key("Authorization"):
         try:
             authtype,data = 
req.headers_in["Authorization"].split(None,1)
	       if authtype != "Basic":
                ... log a warning perhaps ???
                return realm,user,passwd
             s = req.headers_in["Authorization"][6:]
             s = base64.decodestring(s)
             user, passwd = s.split(":", 1)
         except:
             raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST

Not sure what else you could do if not "Basic" and other authentication
type is not supported besides silently return.

The vampire::publisher module probably fares no better with this either
as although I check for basic authentication, ie.,

   # If authorisation credentials provided, determine if
   # it is an accepted scheme and if it is then extract
   # user and passwd.

   user = None
   passwd = None

   if req.headers_in.has_key("Authorization"):
     try:
       header = req.headers_in["Authorization"]
       scheme,credentials = header.split(" ",1)
       credentials = credentials.strip()

       scheme = scheme.lower()
       if scheme == "basic":
         credentials = base64.decodestring(credentials)
         user,passwd = string.split(credentials,":",1)
       else:
         raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST
     except:
       raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST

I still return a bad request error if it isn't.

If in Vampire you use vampire.Publisher() within the context of a basic
content handler, in Vampire 1.6 you can disable the default login 
handler
to avoid the problem. Wasn't intending to allow disabling of the login
handler in vampire::publisher because mod_python.publisher didn't, but
will have to cater for this issue somehow now I guess. One option may
be to only try and do something with the "Authorization" header if it is
found necessary that it is actually needed. Ie,. that there are __auth__
definitions actually present that need to be checked.

Anyway, if you understand any of that ramble and you want to come to
the dark side that is vampire::publisher, sure I can provide a quick
fix which solves the problem for that. :-)

Graham



More information about the Mod_python mailing list