[mod_python] Access checking against another path

Roger Binns rogerb at rogerbinns.com
Tue May 1 01:31:10 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Graham Dumpleton wrote:
> What type of authentication is being used? Is it 'Basic' for AuthType
> or something entirely different?

Entirely up to the administrator, but most likely ldap.

> The problem is that the way you are doing it is more or less
> circumventing Apache's normal authentication mechanisms. Even if one
> had access to the full Apache C API am not sure you could do it in a
> way that would be seen as being correct for the way Apache works.

That is what I was afraid of.  Note that don't actually want to
circumvent the authentication at all - it is just that in code for one
path I want to see if the supplied credentials are valid for a different
path.

> The only way I could conceive of you being able to do it then would be
> using a session/cookie based mechanism as other person suggested, with
> concept of user roles whereby user who hasn't logged in through web
> form doesn't have rights to do stuff. Ie., the sub handlers when
> called as Python objects would check what role session has and reject
> call if not required rights.

The reason cookies won't work is that the REST path (/api/....) is REST.
 It doesn't give out cookies, or rather wouldn't make sense to.  It
wouldn't be accessed directly from a browser but rather from various
other standalone programs.  The browser would access the web admin which
behind the scenes calls the apis.

I really want to make this easy for the administrator and Apache has a
fine way of expressing access control.  If they say that only members of
a certain ldap group can delete objects (by accessing
/api/objectname/delete) then I want the separate web admin code to
automatically obey that.  I really don't want to have to build in a
second set of access controls, roles etc to the web admin.

I've looked over all the APIs twice and can't see any way that that a
request on one path can do anything with other paths such as retrieve
their content.  I guess my last recourse is to use urllib2 with
request.construct_url() and copy headers across hoping for the best.  It
will work fine with basic style authentication but won't for NTLM and
similar challenge response ones.

Roger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGNtCemOOfHg372QQRAo1bAJ9tb/l8SUhalehsc3CsrOnD1PM93gCff1cb
xWiACQaWZIEOYj4+a07JEjk=
=DOI9
-----END PGP SIGNATURE-----

More information about the Mod_python mailing list