[mod_python] mod_python session/form based user authentication

Graham Dumpleton graham.dumpleton at gmail.com
Sun Mar 29 18:23:15 EDT 2009


2009/3/29 bruce bushby <bruce.bushby at googlemail.com>:
> Hi
>
> I've been struggling to implement form based user authentication for some
> time now so I'm posting my progress in the hope that
> more experienced members will comment and any new starters will save
> themselves some time.
>
> A big thanks to John Calixto for getting back to me and suggesting "AuthType
> wgtiauth" and "Require wgti-user"
>
>
> The example works as follows:
> - Attempt to access the protected area gets intercepted by authenhandler, if
> not authorized redirect to login, if login successful, continue to original
> url.
>
> ...
>
> def authenhandler(req):
>         req.user = "nobody"
>         req.session = Session.DbmSession(req)
>
>         if req.session.is_new():
>                 req.session['referer'] = "http://mysite" + req.unparsed_uri
>                 req.session.save()
>                 util.redirect(req,"http://mysite/login")
>
>         if req.session.has_key('authstatus') and req.session['authstatus']
> == "authenticated":
>                 return apache.OK
>
>         return apache.HTTP_UNAUTHORIZED

Technically this is incorrect/incomplete.

1. An authentication handler should be checking whether it is the
handler that should run for the AuthType used. Thus should have the
following check as first thing done:

  if req.auth_type() != 'wgtiauth':
    return apache.DECLINED

2. If the authentication handler successfully authenticated user, only
then should it be setting req.user. It should not be doing it all the
time even if authentication failed. It is not technically a good idea
to be setting it to 'nobody' and it should really be the actual user
name. That way you can then use other Apache directives such as
'Require user'.

3. If the authentication handler was successful, it should be setting
req.ap_auth_type to be the authentication type.

  req.ap_auth_type = req.auth_type()

> def authzhandler(req):
>         if req.user:
>                 return apache.OK
>
>         return apache.HTTP_UNAUTHORIZED

Your whole authorisation handler is not needed, so get rid of:

                Require wgti-user
                PythonAuthzHandler authsession

and replace it with:

                Require valid-user

As I said before though, you should only be setting req.user if user
authenticated properly.

Graham



More information about the Mod_python mailing list