[mod_python] problem w/ authen handler

Bud P. Bruegger bud at comune.grosseto.it
Fri May 20 10:04:59 EDT 2005 

Hi Graham,

many thanks for your input!  This got me a round further.  I tried both the 
access and the fixup handlers (it needs to be before mod-rewrite does its 
things) and they are invoked (as opposed to the authen and authenz handlers).

My remaining problem is that I don't see SSL_CLIENT_S_DN in the handler 
(after  req.add_common_vars() and dumping the keys of 
req.subprocess_env).  (I can see them w/o problems in the standard 
handler.)  I have tried to play with the order of directives, but it didn't 
seem to make a difference.  (see the apache conf snipplet below for details)

Any idea how to access SSL_CLIENT_S_DN in the access or fixup handler?

many thanks!

-b



         <Directory /var/www/sc>
             SSLRequireSSL
             #SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth 
+StrictRequire
             SSLOptions +StdEnvVars +ExportCertData +StrictRequire
             SetHandler mod_python
             PythonHandler test
             PythonFixupHandler test
             PythonDebug On
         </Directory>

At 08.52 20/05/2005 +1000, Graham Dumpleton wrote:

>On 20/05/2005, at 12:27 AM, Bud P. Bruegger wrote:
>
>>I'm a beginner and hope someone can straighten me out.
>>
>>I am trying to write a simple handler that clicks in after mod-ssl has 
>>requested a certificate from the client.  Depending on the type of client 
>>token (European eID cards), I'd like the handler to look at the client's 
>>subject DN derive (by string manipulation or by lookup) a nationally 
>>unique ID for the card holder.
>>
>>Sounds simple enough--but I can't get it to work.  I tried both, the 
>>authen and the authz handlers.  But neither from mod-ssl's +fakeBasicAuth 
>>nor from the handlers req.user = 'xxx' do I get a REMOTE_USER env 
>>variable set.  Also the test evironment variable that I try to set in the 
>>authen/authz handler doesn't have effect.
>
>Normally the authenhandler will only be called if the Apache configuration has
>something like:
>
>   AuthType Basic
>   AuthName "Restricted Files"
>   AuthUserFile /Users/grahamd/Sites/auth/pwdb
>
>Ie., it is triggered of the presence of these special Auth options. Similarly,
>the authzhandler only get called if other appropriate options for it are
>defined. Your SSL stuff doesn't seem to fit under that model and so the
>handlers may simply not be getting called.
>
>>Does this possibly mean that the authen/authz handlers are not called at 
>>all in my configuration?  Should I use a different handler and which?  Or 
>>did I simply mess up something else?
>
>Try adding a req.log_error() call in the handlers to see if they get 
>called or not.
>Message will be in the Apache error log file.
>
>Does your code work if you move what you have in the authenhandler into 
>the start
>of your actual handler function? Ie., does the concept at least work?
>
>As a fudge, you could always stick it in the accesshandler, which from 
>memory is
>always called if defined.
>
>Graham


-------------------------------------------------------------------------------------------------
Ing. Bud P. Bruegger, Ph.D.                 +39-0564-488577 
(voice),  -21139 (fax)
Servizio Elaborazione Dati                    e-mail:  bud at comune.grosseto.it
Comune di 
Grosseto                            http://www.comune.grosseto.it/cie/
Via Ginori, 
43                                      http://OpenPortalGuard.sf.net
58100 Grosseto (Tuscany, Italy)           jabber:  bud at amessage.info

Free Software in Public Administration:  not just a good idea, but a necessity

Perfection is attained, not when there is nothing more to be added, but 
when there is nothing more to be taken away -- Antoine de Saint-Exupery

More information about the Mod_python mailing list