[mod_python] mod_python authentication

Graham Dumpleton grahamd at dscpl.com.au
Tue Nov 22 20:29:40 EST 2005

Bjorn Sundberg wrote ..
> Thanks Graham for your quick response. Its 2 am and my head is abit slow.
> But is the idea to let apache do the digest authentication, that is apache
> takes care of matching username against the password supplied in the
> authenhandler()?

If you use AuthDigestFile to specify a user/password file that Apache can
itself use, the authenhandler() isn't even required. As you probably know,
you can find more details of how to set up Apache at:


Given that Apache will handle all aspects of authorisation, all that needs
to be done now is to work around the problem in mod_python.publisher
that prevents it being used in a directory authenticated using digest

I was putting that workaround in authenhandler(), but probably shouldn't
have suggested it as it has probably confused the issue. What has to be
done though is to hook in a bit of code somehow before the handler
for mod_python.publisher. This could be done in an earlier processing
phase or as a content handler just prior to mod_python.publisher is
triggered. I would suggest the latter.

To do that, where you currently have:

  PythonHandler mod_python.publisher

change it to:

  PythonHandler my_digest_workaround::_delete_authorization_header
  PythonHandler mod_python.publisher

When you specify two handlers like this, mod_python will execute each in
turn. Thus, by adding a _delete_authorization_header() method to a module
my_digest_workaround we can hook in some code to run before
mod_python.publisher. The content of my_digest_workaround would thus be:

   from mod_python import apache
   def _delete_authorization_header(req):
     if req.headers_in.has_key("Authorization"):
        del req.headers_in["Authorization"]
     return apache.OK

The my_digest_workaround module could be put in the same directory as
.htaccess file, or if using global Apache configuration in root directory of
where your published files are kept. I explicitly called the handler
_delete_authorization_header(), with a leading underscore so that it
will not be found if some addressed a URL for publisher at it directly.

End result is that the workaround gets called first and it removes the
problem header and then publisher gets executed and your function


> Björn S
> On 11/23/05, Graham Dumpleton <grahamd at dscpl.com.au> wrote:
> >
> > Graham Dumpleton wrote ..
> > > Bjorn Sundberg wrote ..
> > > > Is there a way do use http digest authentication?
> > >
> > > No. HTTP digest authentication and mod_python.publisher are currently
> > > incompatible. See:
> > >
> > >   http://issues.apache.org/jira/browse/MODPYTHON-47
> > >
> > > It is actually a simple fix, but wasn't done for mod_python 3.2.
> > >
> > > Even if fixed, the HTTP digest authentication has to be done by Apache,
> > > it cannot be done by mod_python.publisher when using __auth__ etc.
> > > The fix is merely to stop mod_python.publisher barfing when it is being
> > > done by Apache.
> >
> > Actually, as usual there is nearly always a way to fudge things. You
> could
> > still use Apache HTTP digest authentication (managed by Apache) and
> > still use mod_python.publisher by having an authenhandler() which
> > deleted the "Authorization" header so that mod_python.publisher didn't
> > find it and therefore didn't barf.
> >
> >   def authenhandler(req):
> >
> >     if req.headers_in.has_key("Authorization"):
> >        del req.headers_in["Authorization"]
> >
> >     ... etc.
> >
> > I haven't tried this, but it should work.
> >
> > Graham
> >

More information about the Mod_python mailing list