[mod_python] Access checking against another path

Graham Dumpleton graham.dumpleton at gmail.com
Tue May 1 02:05:59 EDT 2007


On 01/05/07, Roger Binns <rogerb at rogerbinns.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Graham Dumpleton wrote:
> > What type of authentication is being used? Is it 'Basic' for AuthType
> > or something entirely different?
>
> Entirely up to the administrator, but most likely ldap.

To say ldap is only referring to the auth provider, not what HTTP
authentication mechanism is being used. Two that Apache understands
are Basic and Digest.

> > The problem is that the way you are doing it is more or less
> > circumventing Apache's normal authentication mechanisms. Even if one
> > had access to the full Apache C API am not sure you could do it in a
> > way that would be seen as being correct for the way Apache works.
>
> That is what I was afraid of.  Note that don't actually want to
> circumvent the authentication at all - it is just that in code for one
> path I want to see if the supplied credentials are valid for a different
> path.
>
> > The only way I could conceive of you being able to do it then would be
> > using a session/cookie based mechanism as other person suggested, with
> > concept of user roles whereby user who hasn't logged in through web
> > form doesn't have rights to do stuff. Ie., the sub handlers when
> > called as Python objects would check what role session has and reject
> > call if not required rights.
>
> The reason cookies won't work is that the REST path (/api/....) is REST.
>  It doesn't give out cookies, or rather wouldn't make sense to.  It
> wouldn't be accessed directly from a browser but rather from various
> other standalone programs.  The browser would access the web admin which
> behind the scenes calls the apis.
>
> I really want to make this easy for the administrator and Apache has a
> fine way of expressing access control.  If they say that only members of
> a certain ldap group can delete objects (by accessing
> /api/objectname/delete) then I want the separate web admin code to
> automatically obey that.  I really don't want to have to build in a
> second set of access controls, roles etc to the web admin.
>
> I've looked over all the APIs twice and can't see any way that that a
> request on one path can do anything with other paths such as retrieve
> their content.  I guess my last recourse is to use urllib2 with
> request.construct_url() and copy headers across hoping for the best.  It
> will work fine with basic style authentication but won't for NTLM and
> similar challenge response ones.

Except that that will not work. The problem is that AuthType and
AuthName wouldn't be set for /admin if you only use them on /api, so
the web browser wouldn't normally even send the authentication
information through for /admin URL. Thus there isn't going to be any
auth information to pass through to a sub request.

BTW, looking at Apache APIs the call that may have allowed you to do
subrequests and incorporate output within a parent page is:

  ap_run_sub_req()

Even if exposed in mod_python it would still not help given that you
wouldn't have the auth information available for /admin URL to pass
through.

Graham


More information about the Mod_python mailing list