|
Graham Dumpleton
grahamd at dscpl.com.au
Thu Feb 16 18:11:55 EST 2006
Unfortunately, to my mind, what would be the proper way of doing this can't current be done in mod_python because it has some stuff missing and doesn't process handlers for the authentication phase correctly. See: http://issues.apache.org/jira/browse/MODPYTHON-124 http://issues.apache.org/jira/browse/MODPYTHON-129 One question while I think of a good suggestion, how are you setting AuthType, AuthName and Requires directives to ensure that the mod_python authenhandler is being run in the first place? Graham Tomasz Wlodek wrote .. > Hello folks, > > I work on the following idea: We would like to authenticate users who come > to our site in two steps. First we request them to show a valid > certificate. If they can show one and the certificate DN is in our allowed > user's list then we let them in. > > If they do not have a certificate, then we want them to perform > authentication based on user id and password. We ask them for user id and > pwd, compare it to what we keep in some database and let them in. (or > not). > > The first part - identifying user's based on a certificate is already > done. (Thanks to Graham and others who helped me to understand how to pass > variables from mod_ssl to mod_python authentication handler!) > > Now comes the second part: what if the user has no certificate. We need > to > tell Apache to perform basic authentication. > > I thought about doing it in the following way: the authentication handler > would check if user has a certificate. If yes, let him in, if not redirect > the request to another web page which is located in a directory where > .htaccess file requires basic authentication. This would force Apache to > ask for user id and password, after that the request would be redirected > back to the original site. At this point the req.user variable in request > should be defined, which would be a sign to the handler that the user can > be authenticated. > > This sounds very complex and I would like to hear from you if there is > a > simpler way of doing this. (I suspect that there is). > > Here is my authentication handler: I am not happy with it, and I am not > sure if it will work, but I would like to hear from you if it can be done > in a simpler way. > > from mod_python import apache > from mod_python import util > > import _mp_mod_ssl > import os > > def authenhandler(req): > # if the req.user variable has been defined, then user has been > # already authenticated elsewhere > # if not, then we authenticate him > if req.user!=None: > req.add_common_vars() > > # get user's dn certificate > user_dn = _mp_mod_ssl.var_lookup(req,'SSL_CLIENT_S_DN') > > # let us assume that we have a list of allowed dn's > if user_dn in ListOfApprovedDns: > return apache.OK > else: > # user has no DN > # now we need to start password based authentication > # I will redirect the request to another site, which > # is configured to perform basic authentication > util.redirect(req,'http://....') > # This other site performs basic authentication, and fills > # req.user variable, then the request it is redirected > # back to the > # present site > else: > # if we are here then the user has been already authenticated > return apache.OK > > Tomasz Wlodek | tel 631-344-7448 > Brookhaven Laboratory, Building 510M | fax 631-344-7616 > Upton NY 11973-5000 | > > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://mailman.modpython.org/mailman/listinfo/mod_python
|