[mod_python] whole site handlers and authentication

Jim Gallacher jpg at jgassociates.ca
Tue Nov 14 10:31:34 EST 2006

Richard Lewis wrote:
> On Tuesday 14 November 2006 14:17, Jorey Bump wrote:
>> Richard Lewis wrote:
>>> I plan to implement a URI-controlled API where all "commands" will begin
>>> with "/edit/". And I want to provide authentication for these commands (I
>>> have a MySQL user database). Because I have this "whole site" handler,
>>> will it be possible to use standard authentication directives? And will
>>> it be possible to use the Directory directive for "/edit/" requests, as I
>>> don't have actual directories?
>> Use Location, not Directory.
> OK. But what I mean is, will it ever be able to use the Location directive? If 
> I have a Python handler processing /all/ requests under a VirtualHost I don't 
> think there are any circumstances under which Apache will even consider the 
> Location directive. Is that right?

I don't think so. Directives in the Location context should override the
directives higher up in the VirtualHost context. Try something like this:

<Location /edit>
   PythonDebug On
   AuthType Basic
   AuthName "Restricted"
   Require valid-user
   PythonAuthenHandler foo.bar

foo/bar.py looks something like this:

from mod_python import apache

def authenhandler(req):

     pw = req.get_basic_auth_pw()
     user = req.user
     if user == "spam" and pw == "eggs":
         return apache.OK
         return apache.HTTP_UNAUTHORIZED

As you are working in an earlier Apache processing phase, this will work 
to protect all resources under /edit, even if they are not handled by 
mod_python. It's a powerful thing.


More information about the Mod_python mailing list