[mod_python] Chaining handlers

Graham Dumpleton graham.dumpleton at gmail.com
Wed Mar 19 23:51:43 EDT 2008

Also go to http://books.google.com and plug in search term of
'authn_cookie'. This should yield snippet of Nick Kew's book on
writing Apache modules. Read it as well as surrounding pages.

It has been a while since I read that section, so can't remember if
that is directly applicable. It may still be of interest were you to
try and write a C module or even Python auth handler to do this.

Also found mod_authn_form, but it is tied to MySQL database.


On 20/03/2008, Graham Dumpleton <graham.dumpleton at gmail.com> wrote:
> On 20/03/2008, David Champion <dgc at uchicago.edu> wrote:
> > > The documentation does cover it, as long as you know what you are looking for.
>  >
>  > Ugh.  I guess I don't -- I still don't see it, at least expressed in
>  >  this terminology.
>  >
>  >  > Before can suggest something, need to know what the criteria is that
>  >  > you are wanting to block on. Are you wanting to implement HTTP basic
>  >  > authorisation, ie., require user to login, or wanting to block based
>  >  > on something else, such as client IP?
>  >
>  > It could be a variety of things, honestly.  Fundamentally I'm going
>  >  to ask for a username and password, but the usernames and passwords
>  >  are in flux at all times (i.e. there's no singular password file / sql
>  >  database / bdb file / whatever), and we might want to block even a
>  >  valid user/password pair based on IP or some other criterion.  I want
>  >  to be able to interact with the user in these edge cases.  I have a CGI
>  >  that does this well, so I'm trying to make a handler that uses cookies
>  >  established by the CGI to make a straightforward access decision at the
>  >  handler level so that I don't need to call out to a gateway CGI for
>  >  every request.
>  >
> The access, authentication and authorisation handler phases are:
>   http://www.modpython.org/live/current/doc-html/dir-handlers-ach.html
>   http://www.modpython.org/live/current/doc-html/dir-handlers-auh.html
>   http://www.modpython.org/live/current/doc-html/dir-handlers-auzh.html
>  To get some context also see:
>   http://www.fmc-modeling.org/category/projects/apache/amp/4_4Request_Response_Loop.html
>  plus other parts of same document.
>  >  It's also desirable in this case to use a form for the authN instead of
>  >  a browser-dependent Basic login dialog.
> Although authentication phase handler is mainly used for HTTP Basic
>  authentication, it can be adapted for use in form based login
>  mechanism. It is a bit more tricky to do though.
>  >  > Also, is this the only reason you are wanting to use mod_python, or do
>  >  > you also have web applications that use mod_python specific APIs for
>  >  > content handler? If you do have a web application, is it WSGI
>  >  > compatible and thus could be hosted on any WSGI capable system?
>  >
>  > I want this to act as a single signon service for a variety of
>  >  applications, but none of them is written in python at all.
> If you only wanted HTTP Basic authentication I would then have
>  suggested using mod_wsgi, not for its Python web hosting ability, but
>  its Python hooks for Apache auth provider mechanism. See:
>   http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms
>  Is simpler to use than writing full handlers in mod_python.
>  If you can find a separate Apache module that handles the concept of
>  form based login but can use an Apache 2.2 auth provider, then
>  mod_wsgi could still be used. I vaguely remember there being one that
>  may sort of do that, but would need to go looking for it again. If can
>  find that, then all you would need to do is provide the check password
>  and groups hooks in Python code.
>  I'll have a look to see if I can find Apache module that does that.
>  Would rather pursue that than try to find and resurrect code I had for
>  doing form based login as authentication handler as right now not sure
>  where I put it. :-)
>  Graham
>  >  The authentication information is available through a Python API,
>  >  so it's helpful to use Python to make the authN checks.  Other than
>  >  that I'm flexible, I guess -- there's no python-generated content
>  >  to serve.  I just have this odd user base that I need to provide my
>  >  own programmatic access to, and I don't want to do it separately for
>  >  several different applications.  I'd rather have the web server tell the
>  >  application that the user is pre-approved.  And I like Python most. :)
>  >
>  >  In the end this is not so different from any other SSO out there: detect
>  >  whether authN is required for the user, redirect to a login resource if
>  >  so, and then re-evaluate credentials upon return.  I just can't use any
>  >  existing SSOs that I know of because of where my user information is.
>  >
>  >  If there's some way I can bust it all through the *appearance* of HTTP
>  >  Basic just to get $REMOTE_USER on the application end, I can use that.
>  >  But I don't know any way to use Basic on the server without using it on
>  >  the client, unless it makes sense to make a two-pass handler that makes
>  >  an access decision first and filters incoming headers second.  But this
>  >  still leaves open how to engage CGI and PHP handlers later, so I'm not
>  >  sure it really solves the problem -- it's just another approach that
>  >  converges to the same point.
>  >
>  >
>  >  Thanks for your time.
>  >
>  >
>  >  --
>  >   -D.    dgc at uchicago.edu    NSIT    University of Chicago
>  >  _______________________________________________
>  >  Mod_python mailing list
>  >  Mod_python at modpython.org
>  >  http://mailman.modpython.org/mailman/listinfo/mod_python
>  >

More information about the Mod_python mailing list