[mod_python] mod_python session/form based user authentication

Clodoaldo Pinto Neto clodoaldo.pinto.neto at gmail.com
Mon Mar 30 09:23:25 EDT 2009


2009/3/30 Graham Dumpleton <graham.dumpleton at gmail.com>:
> 2009/3/30 bruce bushby <bruce.bushby at googlemail.com>:
>> Hi Graeme
>>
>> Thanks for the feedback. The issue I've been stuck with ( for 3 months now)
>> is how to prevent the "browser pop-up"  user/password dialog box.
>> I've tried so many combinations, but every time I have "AuthType
>> Basic/Require valid-user" set, the browser pops up the login dialog box but
>> I want
>> "html form login/authentication"
>
> Try setting:
>
>  AuthBasicAuthoritative Off
>
> in Apache configuration.
>
> But then, if you aren't setting AuthType to be Basic, this shouldn't
> be an issue.
>
>> req.user = "nobody" was set as a place holder because without it I get:
>>   [ req->user is NULL. Assign something to req.user if returning OK to avoid
>> this error ]
>
> Even as a place holder, didn't need to be set in all cases and could
> cause an issue if there were multiple authentication handlers being
> executed.
>
>> I've just tried the following:
>> AuthType session
>> AuthName "members"
>> Require valid-session
>
> The Require isn't much point if you haven't written an authorization
> handler that understands valid-session.
>
>> ...and it works......but only if I "set req.user = nobody" as a temp place
>> holder...or I get the req->user is NULL error
>>
>>
>> I'll admit I don't have a clue....I got this far by trial and error, which
>> is not very efficient.....I'm waiting for your book ...hint hint :))
>
> I will not be writing a book on mod_python. IMHO mod_python is dying
> and the quicker people stop using it and shift to WSGI based Python
> web applications the better.
>
> The only problem in saying that is the alternatives don't support

I think there is one more problem in saying that. The number of people
insisting in using mod_python shows that there is a place for
something simple like the publisher handler. Even so long time after
the alternatives have been available and so long time after the
alternatives advocates have been saying they are much better still
many of the beginners don't embrace them. And tool kits like Werkzeug
are not those beginners expected answer. The tendency of the
frameworks authors trying to get them as complex as possible also do
not help.

Developers (the good ones) love simplicity. My mod_python/CGI tutorial
is still growing in visits and CGI is still the visits champion! Not
saying mod_python should be kept alive, just that there is a clearly
delimited space for something like the publisher and trying to steer
the simplicity seekers out of that is not really productive. I'm
afraid they will just feel like there is no point in going with
python.

Regards, Clodoaldo

> writing Apache input/output filters nor custom session based
> authetication/authorisation schemes that cover multiple applications.
> The latter though will be supported in Apache 2.4 though through
> mod_session, so no need to be fiddling within using mod_python at that
> point. You could also right now just use:
>
>  http://www.openfusion.com.au/labs/mod_auth_tkt/
>
>> Is there a secret to prevent the "browser password pop-up box" and redirect
>> to a html login page? I've spent 3 months
>> googling and can't find a simple example.
>
> For a working form/session based authentication handler, that is that
> I presume it still works, see:
>
>  http://www.modpython.org/pipermail/mod_python/2006-May/021172.html
>
> The correct attachment address is:
>
>  http://www.modpython.org/pipermail/mod_python/attachments/20060520/813620d0/sessionmanager.tar.gz
>
> See the .htaccess file as to how it all ties together. The _session.py
> file is also extensively documented.
>
> Graham
>
>>
>> Thanks again
>> Bruce
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Sun, Mar 29, 2009 at 11:23 PM, Graham Dumpleton
>> <graham.dumpleton at gmail.com> wrote:
>>>
>>> 2009/3/29 bruce bushby <bruce.bushby at googlemail.com>:
>>> > Hi
>>> >
>>> > I've been struggling to implement form based user authentication for
>>> > some
>>> > time now so I'm posting my progress in the hope that
>>> > more experienced members will comment and any new starters will save
>>> > themselves some time.
>>> >
>>> > A big thanks to John Calixto for getting back to me and suggesting
>>> > "AuthType
>>> > wgtiauth" and "Require wgti-user"
>>> >
>>> >
>>> > The example works as follows:
>>> > - Attempt to access the protected area gets intercepted by
>>> > authenhandler, if
>>> > not authorized redirect to login, if login successful, continue to
>>> > original
>>> > url.
>>> >
>>> > ...
>>> >
>>> > def authenhandler(req):
>>> >         req.user = "nobody"
>>> >         req.session = Session.DbmSession(req)
>>> >
>>> >         if req.session.is_new():
>>> >                 req.session['referer'] = "http://mysite" +
>>> > req.unparsed_uri
>>> >                 req.session.save()
>>> >                 util.redirect(req,"http://mysite/login")
>>> >
>>> >         if req.session.has_key('authstatus') and
>>> > req.session['authstatus']
>>> > == "authenticated":
>>> >                 return apache.OK
>>> >
>>> >         return apache.HTTP_UNAUTHORIZED
>>>
>>> Technically this is incorrect/incomplete.
>>>
>>> 1. An authentication handler should be checking whether it is the
>>> handler that should run for the AuthType used. Thus should have the
>>> following check as first thing done:
>>>
>>>  if req.auth_type() != 'wgtiauth':
>>>    return apache.DECLINED
>>>
>>> 2. If the authentication handler successfully authenticated user, only
>>> then should it be setting req.user. It should not be doing it all the
>>> time even if authentication failed. It is not technically a good idea
>>> to be setting it to 'nobody' and it should really be the actual user
>>> name. That way you can then use other Apache directives such as
>>> 'Require user'.
>>>
>>> 3. If the authentication handler was successful, it should be setting
>>> req.ap_auth_type to be the authentication type.
>>>
>>>  req.ap_auth_type = req.auth_type()
>>>
>>> > def authzhandler(req):
>>> >         if req.user:
>>> >                 return apache.OK
>>> >
>>> >         return apache.HTTP_UNAUTHORIZED
>>>
>>> Your whole authorisation handler is not needed, so get rid of:
>>>
>>>                Require wgti-user
>>>                PythonAuthzHandler authsession
>>>
>>> and replace it with:
>>>
>>>                Require valid-user
>>>
>>> As I said before though, you should only be setting req.user if user
>>> authenticated properly.
>>>
>>> Graham
>>
>>
>
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
>



More information about the Mod_python mailing list