|
Graham Dumpleton
grahamd at dscpl.com.au
Sat Feb 18 21:54:55 EST 2006
On 18/02/2006, at 1:05 AM, Bud P. Bruegger wrote:
> Hello everyone,
>
> I have a problem reading req.user when using mod-SSL with the
> +FakeBasicAuth option and setting SSLUser: req.user always seems
> to be undefined. Also, neither Authen nor Authz handers run. Any
> help would be highly appreciated
First off, I presume the client certificate does have a user name
specified in it?
Second is that mod_ssl only populates req.user from a MIDDLE hook of the
access handler. This is the same as when mod_python access handlers are
run. If the ordering of initialisation of mod_python/mod_ssl is such
that a
mod_python access handler is run before the internal access handler for
mod_ssl, then req.user will not have been set yet and thus will not
be available
in the mod_python access handler.
Finally, the authen handler and authz handler are only run if the
Require
directive has been used, which your configuration doesn't include.
Thus you
need something like:
Require valid-user
BTW, your attempt to get SSL variables form req.subprocess_env isn't
going
to work as they are only put there by mod_ssl by a REALLY_LAST hook
of the
fixup handler, which is after access handler, authen handler and
authz handler.
Will also be after mod_python fixup handler as it runs as MIDDLE hook.
To get information about mod_ssl in earlier phases, you will need
mod_ssl
patches as described in:
https://issues.apache.org/jira/browse/MODPYTHON-94
These changes have now been pushed into mod_python subversion main
trunk if you are prepared to give developmental code a go.
Graham
> Here some details of what I try:
>
> #-- Apache 2 conf ------------------------------
> NameVirtualHost *:443
> <VirtualHost *:443>
> LogLevel debug
> SSLEngine on
> SSLCertificateFile /etc/apache2/ssl/apache.pem
> SSLCACertificateFile /etc/apache2/ssl/caCerts.pem
> SSLVerifyDepth 3
> SSLVerifyClient require
> #SSLUserName SSL_CLIENT_S_DN_X509
> DocumentRoot /var/www/
>
> <Directory /var/www/sc>
> SSLRequireSSL
> SSLOptions +StdEnvVars +FakeBasicAuth
> AuthType Basic
> SetHandler mod_python
> PythonHandler test
> PythonAccessHandler test
> PythonAuthenHandler test
> PythonAuthzHandler test
> PythonFixupHandler test
> PythonDebug On
> </Directory>
> </VirtualHost>
>
> #--- test.py ----------------------------------------------------
> from mod_python import apache
>
> def genHandler(req, handlerName):
> req.add_common_vars()
> req.get_basic_auth_pw()
> user = req.user
> dn = req.subprocess_env.get('SSL_CLIENT_S_DN',
> req.subprocess_env.keys())
> userLabel = 'XXX-%s-user' % handlerName
> dnLabel = 'XXX-%s-dn' % handlerName
> req.subprocess_env[userLabel]=str(user)
> req.subprocess_env[dnLabel]=str(dn)
> return apache.OK
>
>
> def accesshandler(req):
> return genHandler(req, 'access')
>
> def authenhandler(req):
> return genHandler(req, 'authen')
>
> def authzhandler(req):
> return genHandler(req, 'authz')
>
> def fixuphandler(req):
> return genHandler(req, 'fixup')
> #------------------------------------------------------
>
> many thanks in advance
>
> -b
>
>
>
> ----------------------------------------------------------------------
> ---------------------------
> Ing. Bud P. Bruegger, Ph.D. +39-0564-488577
> (voice), -21139 (fax)
> Servizio Elaborazione Dati e-mail:
> bud at comune.grosseto.it
> Comune di Grosseto jabber: bud at jabber.no
> Via Ginori, 43 http://
> www.comune.grosseto.it/cie/
> 58100 Grosseto (Tuscany, Italy) http://
> www.comune.grosseto.it/interopEID/
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
|