[mod_python] Chaining handlers

Graham Dumpleton graham.dumpleton at gmail.com
Wed Mar 19 23:36:38 EDT 2008


On 20/03/2008, David Champion <dgc at uchicago.edu> wrote:
> > The documentation does cover it, as long as you know what you are looking for.
>
> Ugh.  I guess I don't -- I still don't see it, at least expressed in
>  this terminology.
>
>  > Before can suggest something, need to know what the criteria is that
>  > you are wanting to block on. Are you wanting to implement HTTP basic
>  > authorisation, ie., require user to login, or wanting to block based
>  > on something else, such as client IP?
>
> It could be a variety of things, honestly.  Fundamentally I'm going
>  to ask for a username and password, but the usernames and passwords
>  are in flux at all times (i.e. there's no singular password file / sql
>  database / bdb file / whatever), and we might want to block even a
>  valid user/password pair based on IP or some other criterion.  I want
>  to be able to interact with the user in these edge cases.  I have a CGI
>  that does this well, so I'm trying to make a handler that uses cookies
>  established by the CGI to make a straightforward access decision at the
>  handler level so that I don't need to call out to a gateway CGI for
>  every request.
>

The access, authentication and authorisation handler phases are:

  http://www.modpython.org/live/current/doc-html/dir-handlers-ach.html
  http://www.modpython.org/live/current/doc-html/dir-handlers-auh.html
  http://www.modpython.org/live/current/doc-html/dir-handlers-auzh.html

To get some context also see:

  http://www.fmc-modeling.org/category/projects/apache/amp/4_4Request_Response_Loop.html

plus other parts of same document.

>  It's also desirable in this case to use a form for the authN instead of
>  a browser-dependent Basic login dialog.

Although authentication phase handler is mainly used for HTTP Basic
authentication, it can be adapted for use in form based login
mechanism. It is a bit more tricky to do though.

>  > Also, is this the only reason you are wanting to use mod_python, or do
>  > you also have web applications that use mod_python specific APIs for
>  > content handler? If you do have a web application, is it WSGI
>  > compatible and thus could be hosted on any WSGI capable system?
>
> I want this to act as a single signon service for a variety of
>  applications, but none of them is written in python at all.

If you only wanted HTTP Basic authentication I would then have
suggested using mod_wsgi, not for its Python web hosting ability, but
its Python hooks for Apache auth provider mechanism. See:

  http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms

Is simpler to use than writing full handlers in mod_python.

If you can find a separate Apache module that handles the concept of
form based login but can use an Apache 2.2 auth provider, then
mod_wsgi could still be used. I vaguely remember there being one that
may sort of do that, but would need to go looking for it again. If can
find that, then all you would need to do is provide the check password
and groups hooks in Python code.

I'll have a look to see if I can find Apache module that does that.
Would rather pursue that than try to find and resurrect code I had for
doing form based login as authentication handler as right now not sure
where I put it. :-)

Graham

>  The authentication information is available through a Python API,
>  so it's helpful to use Python to make the authN checks.  Other than
>  that I'm flexible, I guess -- there's no python-generated content
>  to serve.  I just have this odd user base that I need to provide my
>  own programmatic access to, and I don't want to do it separately for
>  several different applications.  I'd rather have the web server tell the
>  application that the user is pre-approved.  And I like Python most. :)
>
>  In the end this is not so different from any other SSO out there: detect
>  whether authN is required for the user, redirect to a login resource if
>  so, and then re-evaluate credentials upon return.  I just can't use any
>  existing SSOs that I know of because of where my user information is.
>
>  If there's some way I can bust it all through the *appearance* of HTTP
>  Basic just to get $REMOTE_USER on the application end, I can use that.
>  But I don't know any way to use Basic on the server without using it on
>  the client, unless it makes sense to make a two-pass handler that makes
>  an access decision first and filters incoming headers second.  But this
>  still leaves open how to engage CGI and PHP handlers later, so I'm not
>  sure it really solves the problem -- it's just another approach that
>  converges to the same point.
>
>
>  Thanks for your time.
>
>
>  --
>   -D.    dgc at uchicago.edu    NSIT    University of Chicago
>  _______________________________________________
>  Mod_python mailing list
>  Mod_python at modpython.org
>  http://mailman.modpython.org/mailman/listinfo/mod_python
>


More information about the Mod_python mailing list