|
bruce bushby
bruce.bushby at googlemail.com
Sun Mar 29 21:43:40 EDT 2009
Hi Graeme Thanks for the feedback. The issue I've been stuck with ( for 3 months now) is how to prevent the "browser pop-up" user/password dialog box. I've tried so many combinations, but every time I have "AuthType Basic/Require valid-user" set, the browser pops up the login dialog box but I want "html form login/authentication" req.user = "nobody" was set as a place holder because without it I get: [ req->user is NULL. Assign something to req.user if returning OK to avoid this error ] I've just tried the following: AuthType session AuthName "members" Require valid-session ...and it works......but only if I "set req.user = nobody" as a temp place holder...or I get the req->user is NULL error I'll admit I don't have a clue....I got this far by trial and error, which is not very efficient.....I'm waiting for your book ...hint hint :)) Is there a secret to prevent the "browser password pop-up box" and redirect to a html login page? I've spent 3 months googling and can't find a simple example. Thanks again Bruce On Sun, Mar 29, 2009 at 11:23 PM, Graham Dumpleton < graham.dumpleton at gmail.com> wrote: > 2009/3/29 bruce bushby <bruce.bushby at googlemail.com>: > > Hi > > > > I've been struggling to implement form based user authentication for some > > time now so I'm posting my progress in the hope that > > more experienced members will comment and any new starters will save > > themselves some time. > > > > A big thanks to John Calixto for getting back to me and suggesting > "AuthType > > wgtiauth" and "Require wgti-user" > > > > > > The example works as follows: > > - Attempt to access the protected area gets intercepted by authenhandler, > if > > not authorized redirect to login, if login successful, continue to > original > > url. > > > > ... > > > > def authenhandler(req): > > req.user = "nobody" > > req.session = Session.DbmSession(req) > > > > if req.session.is_new(): > > req.session['referer'] = "http://mysite" + > req.unparsed_uri > > req.session.save() > > util.redirect(req,"http://mysite/login") > > > > if req.session.has_key('authstatus') and > req.session['authstatus'] > > == "authenticated": > > return apache.OK > > > > return apache.HTTP_UNAUTHORIZED > > Technically this is incorrect/incomplete. > > 1. An authentication handler should be checking whether it is the > handler that should run for the AuthType used. Thus should have the > following check as first thing done: > > if req.auth_type() != 'wgtiauth': > return apache.DECLINED > > 2. If the authentication handler successfully authenticated user, only > then should it be setting req.user. It should not be doing it all the > time even if authentication failed. It is not technically a good idea > to be setting it to 'nobody' and it should really be the actual user > name. That way you can then use other Apache directives such as > 'Require user'. > > 3. If the authentication handler was successful, it should be setting > req.ap_auth_type to be the authentication type. > > req.ap_auth_type = req.auth_type() > > > def authzhandler(req): > > if req.user: > > return apache.OK > > > > return apache.HTTP_UNAUTHORIZED > > Your whole authorisation handler is not needed, so get rid of: > > Require wgti-user > PythonAuthzHandler authsession > > and replace it with: > > Require valid-user > > As I said before though, you should only be setting req.user if user > authenticated properly. > > Graham > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20090330/40f1a49a/attachment.html
|