[mod_python] PythonAuthenHandler issues

Brad Anderson brad at sankatygroup.com
Sun Jul 22 22:06:32 EDT 2007 

Graham Dumpleton wrote:
> The reason it doesn't work is technically because the
> authentication/authorisation phases have been pushed into a single
> authentication handler when it should be split between a separate
> authentication and authorisation handlers.

Okay... and that's the way I had it before reading somewhere (maybe that
April '06 thread) to stay away from PythonAuthzHandler or a separate
authzhandler.

In any case, going back to separate handlers with PythonHandlerModule is
now working :-D

> 
> To be more specific, the authentication handler should only do
> something if req.auth_type() returns the type of authentication type
> it is meant to handle, it should then only be checking that the
> login/password is correct and if it is setting req.user to be the
> username and setting req.ap_auth_type to the authentication type
> scheme. The latter can usually just be set to the value returned from
> calling req.auth_type(). Setting req.user and req.ap_auth_type is
> technically required to indicate to latter phases that authentication
> was successful.

I didn't (re)set either of these, but things seem to be working fine.

> 
> A separate authorisation handler should then process req.requires()
> but if it doesn't find any requires values pertinent to it, it should
> return apache.DECLINED. By returning apache.DECLINED it allows the
> builting authorisation handler to still run and honour vaue such as
> 'valid-user'.

This does *not* work.  I found the 'configuration error:  couldn't check
access.  No groups file?' came back using DECLINED, so I went back to
HTTP_UNAUTHORIZED

> 
> In short, it fails because you aren't supplying a authorisation
> handler and as a result it is still running the default authorisation
> handler which fails because there is no group file for it to run.
> 
> That it is all wrong is not your fault as the Django example is wrong
> in the first place and technically it isn't possible to do it
> completely correctly unless using mod_python 3.3 or later.

And I had found comments or mods that said it was wrong, and helped make
it work.  I must have gotten fairly close.  But I didn't get all the way
there before combining into one handler and bothering this list.

> 
> So, suggest you first split out authentication into its own handler
> and get it working. Post that here and I will tell you the bits that
> may be missing to make it completely correct. Then we can move onto
> separate authorisation handler.
> 
> BTW, I assume you are using mod_python 3.3.1?

Yep.

See: http://paste.dprogramming.com/dpc5aypn.php

for code and config.

Thanks for your help,
BA

More information about the Mod_python mailing list