SSL-data access from verious handlers. was: Re: [mod_python] problem w/ authen handler

Bud P. Bruegger bud at
Mon May 23 04:55:44 EDT 2005

At 09.20 23/05/2005 +0200, Graham Dumpleton wrote:
>Some questions for you about this.
>How does this information fit into the larger scheme of what you are
>trying to do? Are you trying to separate this out into a separate
>handler phase so that you don't have to duplicate that code in every
>mod_python content handler? Are mod_python content handlers being used
>exclusively to deliver up content, or are you just using mod_python
>as a way of processing the SSL stuff and content handler phases would
>be handled by non mod_python handlers such as PHP, CGI or static
>page delivery?

Hi Graham,

I suppose my problem is closest to the last option you mention above.

Here is some more background on what I'm trying to do.  The objective is an 
access control system that works with the various European eID cards and 
basically is a reverse-proxy that centralizes authentication and 
authorization.  Behind the reverse-proxy, any kind of application servers 
(from static pages, mod-python, php, servlets, etc.; normally on separate 
hosts) are foreseen.  It is an extension of the official Belgian approach

The overall request processing would more or less follow this pattern:

mod-ssl  >  mod-personID  > 
mod-RBAC >  mod-rewrite      --------->   mod-remoteAuth ...

mod-ssl and -rewrite are off the shelf.  What I am trying to add based on 
mod-python are:

mod-personID takes the data from mod-ssl (mostly SSL_CLIENT_S_DN) and 
depending on which eID card was used, maps to an internationally unique 
   * for the Belgian, Finish, and Estonian eIDs, it simply takes the 
subject serial number and prefixes it with a country id
   * for the Italian CIE, it extracts the card number from the subject CN 
and looks up a corresponding unique person ID in LDAP
   * for the Italian CNS, it cuts the person ID from the subj. CN string 
and prefixes it
   * etc.

mod-RBAC is then a role-based access control module--I yet have to start 
with that one..

If the access to the resouce is granted, the internationally unique person 
id generated by mod-personID is transferred to the application server 
behind the proxy in a custom http-header.  mod-remoteAuth takes this header 
as input to fake local Basic Auth (in the case of Apache, either as simple 
mod-python access handler that sets req.user or also as pure configuration 
(using mod-rewrite)).

The concept of Loginhandler is really interesting.  My doubt is whether it 
would execute before mod-rewrite clicks in?

Many thanks for your support!


Ing. Bud P. Bruegger, Ph.D.                 +39-0564-488577 
(voice),  -21139 (fax)
Servizio Elaborazione Dati                    e-mail:  bud at
Comune di 
Via Ginori, 
58100 Grosseto (Tuscany, Italy)           jabber:  bud at

Free Software in Public Administration:  not just a good idea, but a necessity

Perfection is attained, not when there is nothing more to be added, but 
when there is nothing more to be taken away -- Antoine de Saint-Exupery 

More information about the Mod_python mailing list