[mod_python] PythonAuthenHandler issues

Graham Dumpleton graham.dumpleton at gmail.com
Sun Jul 22 22:37:18 EDT 2007 

On 23/07/07, Brad Anderson <brad at sankatygroup.com> wrote:
> Graham Dumpleton wrote:
> > The reason it doesn't work is technically because the
> > authentication/authorisation phases have been pushed into a single
> > authentication handler when it should be split between a separate
> > authentication and authorisation handlers.
>
> Okay... and that's the way I had it before reading somewhere (maybe that
> April '06 thread) to stay away from PythonAuthzHandler or a separate
> authzhandler.
>
> In any case, going back to separate handlers with PythonHandlerModule is
> now working :-D
>
> >
> > To be more specific, the authentication handler should only do
> > something if req.auth_type() returns the type of authentication type
> > it is meant to handle, it should then only be checking that the
> > login/password is correct and if it is setting req.user to be the
> > username and setting req.ap_auth_type to the authentication type
> > scheme. The latter can usually just be set to the value returned from
> > calling req.auth_type(). Setting req.user and req.ap_auth_type is
> > technically required to indicate to latter phases that authentication
> > was successful.
>
> I didn't (re)set either of these, but things seem to be working fine.

Checking req.auth_type() result and setting req.ap_auth_type()
technically only really matter when using authenhandler as intended
for Apache modules, although no one ever does it properly with
mod_python. :-)

All it means is that at the start of the handler you have:

  if req.auth_type() != 'Session':
    return apache.DECLINED

This would be the case for an authentication handler which processes
an AuthType of "Session". It simply means that one could register a
whole bunch of different authentication handlers with all being called
and those which didn't apply for the configured AuthType declining to
do anything.

Technically you shouldn't really be using AuthType of 'Basic' as it
conflicts with builting authentication handler, but perhaps instead
use something like:

  AuthType Django::Basic

and then using:

  if req.auth_type() != 'Django::Basic':
    return apache.DECLINED

Finally, if the authentication handler is returning apache.OK to allow
the user through, it would set:

  req.ap_auth_type = 'Django::Basic'

This is just so that a content handler could make some judgment later
based on the authentication mechanism used. Ie., more for completeness
than anything else.

Doing it like this probably has less value in Apache 2.0 than in
Apache 2.2 where the authentication handlers have been improved with
ability to disable authoritativeness for each handler type
individually.

Actually interesting that someone started to add concept of
authoritativeness to mod_python at one point and never finished it.
But then, mod_python possibly incorrectly calls
ap_note_basic_auth_failure(req) in the C code when this should be
accessible from Python and only appropriate authentication handlers
call it. So, a but broken in some ways.

For more stuff on doing things the Apache way see:

  http://issues.apache.org/jira/browse/MODPYTHON-124

> > A separate authorisation handler should then process req.requires()
> > but if it doesn't find any requires values pertinent to it, it should
> > return apache.DECLINED. By returning apache.DECLINED it allows the
> > builting authorisation handler to still run and honour vaue such as
> > 'valid-user'.
>
> This does *not* work.  I found the 'configuration error:  couldn't check
> access.  No groups file?' came back using DECLINED, so I went back to
> HTTP_UNAUTHORIZED

You should only be returning HTTP_UNAUTHORIZED when you find your
specific Requires token but it fails the test. Other times you should
return DECLINED By always returning HTTP_UNAUTHORIZED it goes against
the Apache way of registering multiple handlers and it only rejecting
things if the appropriate configuration was there to activate it.
Again, in mod_python users tend not to do things the Apache way. :-)

Anyway, by always returning HTTP_UNAUTHORIZED, can't now say:

  Require valid-user

and have it work. For this to work, would need to actually stop your
authorisation handler running altogether.

Graham

More information about the Mod_python mailing list