[mod_python] Chaining handlers

David Champion dgc at uchicago.edu
Wed Mar 19 23:16:48 EDT 2008 

> The documentation does cover it, as long as you know what you are looking for.

Ugh.  I guess I don't -- I still don't see it, at least expressed in
this terminology.


> Before can suggest something, need to know what the criteria is that
> you are wanting to block on. Are you wanting to implement HTTP basic
> authorisation, ie., require user to login, or wanting to block based
> on something else, such as client IP?

It could be a variety of things, honestly.  Fundamentally I'm going
to ask for a username and password, but the usernames and passwords
are in flux at all times (i.e. there's no singular password file / sql
database / bdb file / whatever), and we might want to block even a
valid user/password pair based on IP or some other criterion.  I want
to be able to interact with the user in these edge cases.  I have a CGI
that does this well, so I'm trying to make a handler that uses cookies
established by the CGI to make a straightforward access decision at the
handler level so that I don't need to call out to a gateway CGI for
every request.

It's also desirable in this case to use a form for the authN instead of
a browser-dependent Basic login dialog.


> Also, is this the only reason you are wanting to use mod_python, or do
> you also have web applications that use mod_python specific APIs for
> content handler? If you do have a web application, is it WSGI
> compatible and thus could be hosted on any WSGI capable system?

I want this to act as a single signon service for a variety of
applications, but none of them is written in python at all.

The authentication information is available through a Python API,
so it's helpful to use Python to make the authN checks.  Other than
that I'm flexible, I guess -- there's no python-generated content
to serve.  I just have this odd user base that I need to provide my
own programmatic access to, and I don't want to do it separately for
several different applications.  I'd rather have the web server tell the
application that the user is pre-approved.  And I like Python most. :)

In the end this is not so different from any other SSO out there: detect
whether authN is required for the user, redirect to a login resource if
so, and then re-evaluate credentials upon return.  I just can't use any
existing SSOs that I know of because of where my user information is.

If there's some way I can bust it all through the *appearance* of HTTP
Basic just to get $REMOTE_USER on the application end, I can use that.
But I don't know any way to use Basic on the server without using it on
the client, unless it makes sense to make a two-pass handler that makes
an access decision first and filters incoming headers second.  But this
still leaves open how to engage CGI and PHP handlers later, so I'm not
sure it really solves the problem -- it's just another approach that
converges to the same point.


Thanks for your time.

-- 
 -D.    dgc at uchicago.edu    NSIT    University of Chicago

More information about the Mod_python mailing list