[mod_python] req.user and SSL?

Graham Dumpleton grahamd at dscpl.com.au
Mon Feb 20 04:50:10 EST 2006 

On 20/02/2006, at 8:46 PM, Bud P. Bruegger wrote:

> At 13.54 19/02/2006 +1100, Graham Dumpleton wrote:
>
>> On 18/02/2006, at 1:05 AM, Bud P. Bruegger wrote:
>>
>>> Hello everyone,
>>>
>>> I have a problem reading req.user when using mod-SSL with the
>>> +FakeBasicAuth option and setting SSLUser:  req.user always seems
>>> to be undefined.  Also, neither Authen nor Authz handers run.   Any
>>> help would be highly appreciated
>>
>> First off, I presume the client certificate does have a user name
>> specified in it?
>
> I understood that the mod-ssl directive
>> SSLUserName SSL_CLIENT_S_DN_X509
> tells it to set the subject DN as req.user.  Did I understand this  
> incorrectly?  This DN is a string; would there be any requirements  
> for accepting a string as user name (e.g., illegal chars)?

That is gobblygook to me. I'll let someone else try and answer that who
knows about SSL stuff.

>> Second is that mod_ssl only populates req.user from a MIDDLE hook  
>> of the
>> access handler.
>
> Ok, so possibly I don't see it in the access hander, but then I  
> should see it in the Fixup stage, shouldn't I?

Presuming I read the code for mod_ssl correctly, then yes.

>> To get information about mod_ssl in earlier phases, you will need
>> mod_ssl
>> patches as described in:
>>
>>    https://issues.apache.org/jira/browse/MODPYTHON-94
>>
>> These changes have now been pushed into mod_python subversion main
>> trunk if you are prepared to give developmental code a go.
>
> This is actually the clean solution to my problem that I'm very  
> happy has been integrated!
>
> I was thinking of trying your external module with similar  
> functionality later today--thinking that maybe the trunk version of  
> mod-python may not be stable.  Would you recommend to take the  
> trunk instead?

See no harm in trying the trunk. The most significant changes are  
support for
Apache 2.2, simplified GIL API and mod_ssl. The only stability issues  
I know of
are that one test fails with Apache 2.2 on Mac OS X. This is probably  
more to
do with Apache 2.2 than mod_python though.

So, if you use Apache 2.0.55, you should be okay.

Graham

More information about the Mod_python mailing list