Bud P. Bruegger
bud at comune.grosseto.it
Tue May 31 06:53:45 EDT 2005
Sorry for the late reaction on this--I'm just catching up on things after a trip. SSLUserName with +fakeBasicAuth may actually be a solution to my problem. Haven't had a chance to try this yet--but here is what my intuition says: Since I didn't use SSLUserName in my test and since I set SSLVerifyClient to optional_no_ca (for demonstration with any eID), mod-ssl seems not to set req.user. I believe taht adding SSLUserName and requiring client cert verification would possibly set req.user sometime in the access stage such that it would be accessible (via req.user, not via env vars) from mod-python in later stages (authen, authz, of fixup). Will try it out and let you know whether it works. best cheers -b At 21.09 24/05/2005 -0400, Graham Dumpleton wrote: >Eric Jonas wrote .. > > > Not a solution, but try a handler: > > > > > > def handler(req): > > > req.add_common_vars() > > > req.content_type = "text/plain" > > > req.send_http_header() > > > for name in req.subprocess_env.keys(): > > > print >> req, name, req.subprocess_env[name] > > > return apache.OK > > > > > > You might find that the specific bit of information you are after is > > in one of > > > the SSL variables which are populated into the req.subprocess_env table > > > thus giving you an alternate way of finding it. > > > > > > Alas, I still get: > > > > REMOTE_PORT 33059 > > REMOTE_USER /C=US/ST=Massachusetts/O=Massachusetts Institute of > > Technology/OU=Client CA v1/CN=Eric M Jonas/emailAddress=jonas at MIT.EDU > > AUTH_TYPE Basic > >These aren't the variables I am thinking of. If the handler is executed as >a content handler (not earlier phases) and mod_ssl is being used, there >should be a host of "SSL_*" variables available. The list is at the end of >this email. It is these variables I was suggesting may have just the specific >bit you want as a separate item. > >Unfortunately, if you are trying to get the information in a authhandler >you will not have access to them as they are only populated by the SSL >fixup handler. There is also no gaurantee that the SSL fixuphandler is >run before a mod_python fixuphandler, so you can't even attempt to >access it from the mod_python fixuphandler. > >This issue was recently talked about on the mailing list so you may want >to review the discussion in the mailing list archive, starting with: > > http://www.modpython.org/pipermail/mod_python/2005-May/018157.html > http://www.modpython.org/pipermail/mod_python/2005-May/018163.html > http://www.modpython.org/pipermail/mod_python/2005-May/018163.html > >In the last quoted message I posted code (untested), that may allow you >to access all these SSL variables from an earlier handler than the content >handler. if you needed to do it from the authhandler. The URLs for the >attachments are broken though. I think those which will work are: > > >http://www.modpython.org/pipermail/mod_python/attachments/20050523/9fa0275b/_mp_mod_ssl.obj > >http://www.modpython.org/pipermail/mod_python/attachments/20050523/9fa0275b/setup.obj > >If they don't, let me know and will send files to you. > >Anyway, this is on the basis that you are in fact relying on mod_ssl. > >Below are all the SSL variables. > >static const char *ssl_hook_Fixup_vars[] = { > "SSL_VERSION_INTERFACE", > "SSL_VERSION_LIBRARY", > "SSL_PROTOCOL", > "SSL_CIPHER", > "SSL_CIPHER_EXPORT", > "SSL_CIPHER_USEKEYSIZE", > "SSL_CIPHER_ALGKEYSIZE", > "SSL_CLIENT_VERIFY", > "SSL_CLIENT_M_VERSION", > "SSL_CLIENT_M_SERIAL", > "SSL_CLIENT_V_START", > "SSL_CLIENT_V_END", > "SSL_CLIENT_S_DN", > "SSL_CLIENT_S_DN_C", > "SSL_CLIENT_S_DN_ST", > "SSL_CLIENT_S_DN_L", > "SSL_CLIENT_S_DN_O", > "SSL_CLIENT_S_DN_OU", > "SSL_CLIENT_S_DN_CN", > "SSL_CLIENT_S_DN_T", > "SSL_CLIENT_S_DN_I", > "SSL_CLIENT_S_DN_G", > "SSL_CLIENT_S_DN_S", > "SSL_CLIENT_S_DN_D", > "SSL_CLIENT_S_DN_UID", > "SSL_CLIENT_S_DN_Email", > "SSL_CLIENT_I_DN", > "SSL_CLIENT_I_DN_C", > "SSL_CLIENT_I_DN_ST", > "SSL_CLIENT_I_DN_L", > "SSL_CLIENT_I_DN_O", > "SSL_CLIENT_I_DN_OU", > "SSL_CLIENT_I_DN_CN", > "SSL_CLIENT_I_DN_T", > "SSL_CLIENT_I_DN_I", > "SSL_CLIENT_I_DN_G", > "SSL_CLIENT_I_DN_S", > "SSL_CLIENT_I_DN_D", > "SSL_CLIENT_I_DN_UID", > "SSL_CLIENT_I_DN_Email", > "SSL_CLIENT_A_KEY", > "SSL_CLIENT_A_SIG", > "SSL_SERVER_M_VERSION", > "SSL_SERVER_M_SERIAL", > "SSL_SERVER_V_START", > "SSL_SERVER_V_END", > "SSL_SERVER_S_DN", > "SSL_SERVER_S_DN_C", > "SSL_SERVER_S_DN_ST", > "SSL_SERVER_S_DN_L", > "SSL_SERVER_S_DN_O", > "SSL_SERVER_S_DN_OU", > "SSL_SERVER_S_DN_CN", > "SSL_SERVER_S_DN_T", > "SSL_SERVER_S_DN_I", > "SSL_SERVER_S_DN_G", > "SSL_SERVER_S_DN_S", > "SSL_SERVER_S_DN_D", > "SSL_SERVER_S_DN_UID", > "SSL_SERVER_S_DN_Email", > "SSL_SERVER_I_DN", > "SSL_SERVER_I_DN_C", > "SSL_SERVER_I_DN_ST", > "SSL_SERVER_I_DN_L", > "SSL_SERVER_I_DN_O", > "SSL_SERVER_I_DN_OU", > "SSL_SERVER_I_DN_CN", > "SSL_SERVER_I_DN_T", > "SSL_SERVER_I_DN_I", > "SSL_SERVER_I_DN_G", > "SSL_SERVER_I_DN_S", > "SSL_SERVER_I_DN_D", > "SSL_SERVER_I_DN_UID", > "SSL_SERVER_I_DN_Email", > "SSL_SERVER_A_KEY", > "SSL_SERVER_A_SIG", > "SSL_SESSION_ID", > NULL >}; >_______________________________________________ >Mod_python mailing list >Mod_python at modpython.org >http://mailman.modpython.org/mailman/listinfo/mod_python ------------------------------------------------------------------------------------------------- Ing. Bud P. Bruegger, Ph.D. +39-0564-488577 (voice), -21139 (fax) Servizio Elaborazione Dati e-mail: bud at comune.grosseto.it Comune di Grosseto http://www.comune.grosseto.it/cie/ Via Ginori, 43 http://OpenPortalGuard.sf.net 58100 Grosseto (Tuscany, Italy) jabber: bud at amessage.info Free Software in Public Administration: not just a good idea, but a necessity Perfection is attained, not when there is nothing more to be added, but when there is nothing more to be taken away -- Antoine de Saint-Exupery
|