[mod_python] how to make fallback authentication

Deron Meranda deron.meranda at gmail.com
Thu Feb 16 19:32:48 EST 2006

On 2/16/06, Graham Dumpleton <grahamd at dscpl.com.au> wrote:
> Unfortunately, to my mind, what would be the proper way of doing this
> can't current be done in mod_python because it has some stuff missing
> and doesn't process handlers for the authentication phase correctly. See:
>   http://issues.apache.org/jira/browse/MODPYTHON-124
>   http://issues.apache.org/jira/browse/MODPYTHON-129

Another thing to watch for to is the difference between Apache 2.0
and 2.2.  There may be other opportunities in 2.2 for yet more
mod_python functionality, such as registering an authn/z provider
which is written in python.

Anyway, you still may be able to do something a little less-than-the-
proper way.  Assuming that you don't need to rely on Apache in
any way (don't need any of the mod_auth* modules).

What you can do is actually implement the HTTP BASIC or
DIGEST protocol directly in your handler.  Of course without
the mentioned mising features, there would be no tie-in to
Apache (so no Require, AuthBasic, etc. directives).

Implementing HTTP BASIC is actually pretty straight forward.
Read http://www.faqs.org/rfcs/rfc2617.html -- you can ignore
all the Proxy stuff if you're not trying to write a proxy server.
The general strategy is to look for the "Authorization"
input header.  If it's there, decode it (check that the scheme
is "BASIC" (case-insensitive) then base64-decode the
username:password).  Then validate the username and password
by whatever means you want.

If there is no Authorization header, or it is not valid, then you
need to return an HTTP 401; and also insure you also output
an WWW-Authenticate response header.

Deron Meranda

More information about the Mod_python mailing list