[mod_python] req.user and SSL?

Bud P. Bruegger bud at comune.grosseto.it
Mon Feb 20 04:46:21 EST 2006 

At 13.54 19/02/2006 +1100, Graham Dumpleton wrote:

>On 18/02/2006, at 1:05 AM, Bud P. Bruegger wrote:
>
>>Hello everyone,
>>
>>I have a problem reading req.user when using mod-SSL with the
>>+FakeBasicAuth option and setting SSLUser:  req.user always seems
>>to be undefined.  Also, neither Authen nor Authz handers run.   Any
>>help would be highly appreciated
>
>First off, I presume the client certificate does have a user name
>specified in it?

I understood that the mod-ssl directive
>SSLUserName SSL_CLIENT_S_DN_X509
tells it to set the subject DN as req.user.  Did I understand this 
incorrectly?  This DN is a string; would there be any requirements for 
accepting a string as user name (e.g., illegal chars)?

>Second is that mod_ssl only populates req.user from a MIDDLE hook of the
>access handler.

Ok, so possibly I don't see it in the access hander, but then I should see 
it in the Fixup stage, shouldn't I?

>This is the same as when mod_python access handlers are
>run. If the ordering of initialisation of mod_python/mod_ssl is such
>that a
>mod_python access handler is run before the internal access handler for
>mod_ssl, then req.user will not have been set yet and thus will not
>be available
>in the mod_python access handler.
>
>Finally, the authen handler and authz handler are only run if the
>Require
>directive has been used, which your configuration doesn't include.
>Thus you
>need something like:
>
>   Require valid-user

OK!  thanks for this!!!

>BTW, your attempt to get SSL variables form req.subprocess_env isn't
>going
>to work as they are only put there by mod_ssl by a REALLY_LAST hook
>of the
>fixup handler, which is after access handler, authen handler and
>authz handler.
>Will also be after mod_python fixup handler as it runs as MIDDLE hook.

Ok, I understand this.

>To get information about mod_ssl in earlier phases, you will need
>mod_ssl
>patches as described in:
>
>    https://issues.apache.org/jira/browse/MODPYTHON-94
>
>These changes have now been pushed into mod_python subversion main
>trunk if you are prepared to give developmental code a go.

This is actually the clean solution to my problem that I'm very happy has 
been integrated!

I was thinking of trying your external module with similar functionality 
later today--thinking that maybe the trunk version of mod-python may not be 
stable.  Would you recommend to take the trunk instead?

many thanks for your help!

-b


>Graham
>
>>Here some details of what I try:
>>
>>#-- Apache 2 conf ------------------------------
>>NameVirtualHost *:443
>><VirtualHost *:443>
>>         LogLevel debug
>>         SSLEngine on
>>         SSLCertificateFile /etc/apache2/ssl/apache.pem
>>         SSLCACertificateFile /etc/apache2/ssl/caCerts.pem
>>         SSLVerifyDepth 3
>>         SSLVerifyClient require
>>         #SSLUserName SSL_CLIENT_S_DN_X509
>>         DocumentRoot /var/www/
>>
>>         <Directory /var/www/sc>
>>             SSLRequireSSL
>>             SSLOptions +StdEnvVars +FakeBasicAuth
>>             AuthType Basic
>>             SetHandler mod_python
>>             PythonHandler test
>>             PythonAccessHandler test
>>             PythonAuthenHandler test
>>             PythonAuthzHandler test
>>             PythonFixupHandler test
>>             PythonDebug On
>>         </Directory>
>></VirtualHost>
>>
>>#--- test.py ----------------------------------------------------
>>from mod_python import apache
>>
>>def genHandler(req, handlerName):
>>     req.add_common_vars()
>>     req.get_basic_auth_pw()
>>     user = req.user
>>     dn = req.subprocess_env.get('SSL_CLIENT_S_DN',
>>req.subprocess_env.keys())
>>     userLabel = 'XXX-%s-user' % handlerName
>>     dnLabel = 'XXX-%s-dn' % handlerName
>>     req.subprocess_env[userLabel]=str(user)
>>     req.subprocess_env[dnLabel]=str(dn)
>>     return apache.OK
>>
>>
>>def accesshandler(req):
>>     return genHandler(req, 'access')
>>
>>def authenhandler(req):
>>     return genHandler(req, 'authen')
>>
>>def authzhandler(req):
>>     return genHandler(req, 'authz')
>>
>>def fixuphandler(req):
>>     return genHandler(req, 'fixup')
>>#------------------------------------------------------
>>
>>many thanks in advance
>>
>>-b
>>
>>
>>
>>---------------------------------------------------------------------- 
>>---------------------------
>>Ing. Bud P. Bruegger, Ph.D.                 +39-0564-488577
>>(voice),  -21139 (fax)
>>Servizio Elaborazione Dati                    e-mail:
>>bud at comune.grosseto.it
>>Comune di Grosseto                            jabber:  bud at jabber.no
>>Via Ginori, 43                                      http:// 
>>www.comune.grosseto.it/cie/
>>58100 Grosseto (Tuscany, Italy)           http:// 
>>www.comune.grosseto.it/interopEID/
>>_______________________________________________
>>Mod_python mailing list
>>Mod_python at modpython.org
>>http://mailman.modpython.org/mailman/listinfo/mod_python
>
>
>-------------------------------------------------------------------------------------------------
>Ing. Bud P. Bruegger, Ph.D.                 +39-0564-488577 
>(voice),  -21139 (fax)
>Servizio Elaborazione Dati                    e-mail:  bud at comune.grosseto.it
>Comune di Grosseto                            jabber:  bud at jabber.no
>Via Ginori, 
>43                                      http://www.comune.grosseto.it/cie/
>58100 Grosseto (Tuscany, 
>Italy)           http://www.comune.grosseto.it/interopEID/

More information about the Mod_python mailing list