[mod_python] lookup_uri

Graham Dumpleton graham.dumpleton at gmail.com
Sat May 12 00:09:17 EDT 2007 

On 12/05/07, Roger Binns <rogerb at rogerbinns.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I wrote a week ago about wanting to do subrequests but couldn't find
> anything in modpython beyond internal_redirect.
>
> Anyway it turns out that Apache really does have exactly what I need and
> they are called subrequests.  The actual method I want to call is
> lookup_method_uri (assuming it copies authentication information from
> the parent request).

The problem is that in that discussion where I said:

"""Even if exposed in mod_python it would still not help given that
you wouldn't have the auth information available for /admin URL to
pass  through."""

You basically didn't want to agree and said:

"""That is the easy bit :-)  Just copying the authentication response
headers from /api will do the trick."""

I still believe that you don't quite understand what would happen. Let
me see if I can explain it again in a way you can understand.

First off, you said that /admin would have no AuthType/AuthName
directives covering that URL in the Apache configuration. Because of
this fact, the browser isn't going to be sending any authentication
information for that URL. Ie., there will be no Authorization header
available to the request handler for the /admin URL.

Second, you gave the pseudo code for your /admin handler as:

def handler(req):
 print "Hello world"

 # I can't see how to do the next two lines which could have
 # different permissions
 ... check credentials in req against "/api/object/list"
 ... check credentials in req against "/api/object3/delete"

 # The next two could be done by calling the code that
 # implements /api directly (or playing with internal_redirect)
 items=request("/api/object/list")
 request("/api/%s/delete" % (items[3],))

 print "more output saying item3 was deleted"

Your problem as you see it how to check those credentials. The real
problem at this point is where are you getting the credentials from if
the browser isn't going to send them. If you are using either HTTP
Basic or Digest authentication, which you said was one of your
options, given that the admin could choose whatever they wanted, in
order for the browser to send credentials the server has to challenge
the browser indicating that it is a password authenticated area of the
server. To do this it has to send back a special header to the browser
saying what the authentication domain is that credentials need to be
supplied for. You are skipping this important challenge step by
assuming the credentials will be there and simply moving to try and
validate them.

It is also not enough that you have some special separate /login URL
where AuthType and AuthName may be set as the browser will only send
through the credentials for that URL and not arbitrary other URLs such
as /admin which it doesn't know to be in the same AuthName domain.

Where web applications, such as Trac, use a /login URL as a single
login point, once they have successfully logged in the user they then
use cookies to track the fact that the user is logged in.

If you still disagree, and maybe I am missing something, by what
mechanism do you think the credentials will be available in the first
place? How is the browser going to know to send them for the /admin
URL. The only way I can think of where credentials may be available
automatically is if you are using HTTPS with unique client side
certificates which identify the specific user.

> modpython seems not to have this family of methods.  The Perl equivalent
> of modpython does:
>
>   http://perl.apache.org/docs/2.0/api/Apache2/SubRequest.html
>
> Any advice on how to get access to these methods?  I'm happy to do any
> of the following:
>
>   * Modify modpython source code

Go right ahead if you want to modify your mod_python source.

>   * Abuse ctypes in some way

Not something I'd recommend.

>   * Write an additional library to be loaded accessible from python code

Which can also work, with SWIG serving as a useful complement.

> This topic seems to have come up before without apparent resolution:
>
> http://www.modpython.org/pipermail/mod_python/2006-September/021994.html
> http://www.mail-archive.com/[email protected]/msg02594.html

More importantly the following which was sent just a week before your
discussion started up.

  http://www.modpython.org/pipermail/mod_python/2007-April/023494.html

and dictates various approaches to how one might go about extending
mod_python features without actually modifying mod_python.

Graham

More information about the Mod_python mailing list