|
Graham Dumpleton
graham.dumpleton at gmail.com
Wed Mar 19 23:51:43 EDT 2008
Also go to http://books.google.com and plug in search term of 'authn_cookie'. This should yield snippet of Nick Kew's book on writing Apache modules. Read it as well as surrounding pages. It has been a while since I read that section, so can't remember if that is directly applicable. It may still be of interest were you to try and write a C module or even Python auth handler to do this. Also found mod_authn_form, but it is tied to MySQL database. Graham On 20/03/2008, Graham Dumpleton <graham.dumpleton at gmail.com> wrote: > On 20/03/2008, David Champion <dgc at uchicago.edu> wrote: > > > > The documentation does cover it, as long as you know what you are looking for. > > > > Ugh. I guess I don't -- I still don't see it, at least expressed in > > this terminology. > > > > > Before can suggest something, need to know what the criteria is that > > > you are wanting to block on. Are you wanting to implement HTTP basic > > > authorisation, ie., require user to login, or wanting to block based > > > on something else, such as client IP? > > > > It could be a variety of things, honestly. Fundamentally I'm going > > to ask for a username and password, but the usernames and passwords > > are in flux at all times (i.e. there's no singular password file / sql > > database / bdb file / whatever), and we might want to block even a > > valid user/password pair based on IP or some other criterion. I want > > to be able to interact with the user in these edge cases. I have a CGI > > that does this well, so I'm trying to make a handler that uses cookies > > established by the CGI to make a straightforward access decision at the > > handler level so that I don't need to call out to a gateway CGI for > > every request. > > > > > The access, authentication and authorisation handler phases are: > > http://www.modpython.org/live/current/doc-html/dir-handlers-ach.html > http://www.modpython.org/live/current/doc-html/dir-handlers-auh.html > http://www.modpython.org/live/current/doc-html/dir-handlers-auzh.html > > To get some context also see: > > http://www.fmc-modeling.org/category/projects/apache/amp/4_4Request_Response_Loop.html > > plus other parts of same document. > > > > It's also desirable in this case to use a form for the authN instead of > > a browser-dependent Basic login dialog. > > > Although authentication phase handler is mainly used for HTTP Basic > authentication, it can be adapted for use in form based login > mechanism. It is a bit more tricky to do though. > > > > > Also, is this the only reason you are wanting to use mod_python, or do > > > you also have web applications that use mod_python specific APIs for > > > content handler? If you do have a web application, is it WSGI > > > compatible and thus could be hosted on any WSGI capable system? > > > > I want this to act as a single signon service for a variety of > > applications, but none of them is written in python at all. > > > If you only wanted HTTP Basic authentication I would then have > suggested using mod_wsgi, not for its Python web hosting ability, but > its Python hooks for Apache auth provider mechanism. See: > > http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms > > Is simpler to use than writing full handlers in mod_python. > > If you can find a separate Apache module that handles the concept of > form based login but can use an Apache 2.2 auth provider, then > mod_wsgi could still be used. I vaguely remember there being one that > may sort of do that, but would need to go looking for it again. If can > find that, then all you would need to do is provide the check password > and groups hooks in Python code. > > I'll have a look to see if I can find Apache module that does that. > Would rather pursue that than try to find and resurrect code I had for > doing form based login as authentication handler as right now not sure > where I put it. :-) > > > Graham > > > > The authentication information is available through a Python API, > > so it's helpful to use Python to make the authN checks. Other than > > that I'm flexible, I guess -- there's no python-generated content > > to serve. I just have this odd user base that I need to provide my > > own programmatic access to, and I don't want to do it separately for > > several different applications. I'd rather have the web server tell the > > application that the user is pre-approved. And I like Python most. :) > > > > In the end this is not so different from any other SSO out there: detect > > whether authN is required for the user, redirect to a login resource if > > so, and then re-evaluate credentials upon return. I just can't use any > > existing SSOs that I know of because of where my user information is. > > > > If there's some way I can bust it all through the *appearance* of HTTP > > Basic just to get $REMOTE_USER on the application end, I can use that. > > But I don't know any way to use Basic on the server without using it on > > the client, unless it makes sense to make a two-pass handler that makes > > an access decision first and filters incoming headers second. But this > > still leaves open how to engage CGI and PHP handlers later, so I'm not > > sure it really solves the problem -- it's just another approach that > > converges to the same point. > > > > > > Thanks for your time. > > > > > > -- > > -D. dgc at uchicago.edu NSIT University of Chicago > > _______________________________________________ > > Mod_python mailing list > > Mod_python at modpython.org > > http://mailman.modpython.org/mailman/listinfo/mod_python > > >
|