[mod_python] mod_python session/form based user authentication

bruce bushby bruce.bushby at googlemail.com
Mon Mar 30 11:06:32 EDT 2009


I'm a complete novice but from what I've seen I really enjoy mod_python,
mostly because I'm hacking about at home, hosting
on my broadband and don't need anything more then the most simple solution
possible.

However, if I were tasked with developing a large commercial web app in
python, I would adopt mod_wsgi, so to me I see both modules having a long
life. I'd go so far as to say that the python language and the wsgi spec
need mod_python. I'm surprised there was a need for "PEP 333"
when there appears to be very little interest in mod_python. I say very
little interest because when compared to php, mod_python uptake is
neglegable
which surprises me because php as a language can hardly compare to python.





On Mon, Mar 30, 2009 at 2:23 PM, Clodoaldo Pinto Neto <
clodoaldo.pinto.neto at gmail.com> wrote:

> 2009/3/30 Graham Dumpleton <graham.dumpleton at gmail.com>:
> > 2009/3/30 bruce bushby <bruce.bushby at googlemail.com>:
> >> Hi Graeme
> >>
> >> Thanks for the feedback. The issue I've been stuck with ( for 3 months
> now)
> >> is how to prevent the "browser pop-up"  user/password dialog box.
> >> I've tried so many combinations, but every time I have "AuthType
> >> Basic/Require valid-user" set, the browser pops up the login dialog box
> but
> >> I want
> >> "html form login/authentication"
> >
> > Try setting:
> >
> >  AuthBasicAuthoritative Off
> >
> > in Apache configuration.
> >
> > But then, if you aren't setting AuthType to be Basic, this shouldn't
> > be an issue.
> >
> >> req.user = "nobody" was set as a place holder because without it I get:
> >>   [ req->user is NULL. Assign something to req.user if returning OK to
> avoid
> >> this error ]
> >
> > Even as a place holder, didn't need to be set in all cases and could
> > cause an issue if there were multiple authentication handlers being
> > executed.
> >
> >> I've just tried the following:
> >> AuthType session
> >> AuthName "members"
> >> Require valid-session
> >
> > The Require isn't much point if you haven't written an authorization
> > handler that understands valid-session.
> >
> >> ...and it works......but only if I "set req.user = nobody" as a temp
> place
> >> holder...or I get the req->user is NULL error
> >>
> >>
> >> I'll admit I don't have a clue....I got this far by trial and error,
> which
> >> is not very efficient.....I'm waiting for your book ...hint hint :))
> >
> > I will not be writing a book on mod_python. IMHO mod_python is dying
> > and the quicker people stop using it and shift to WSGI based Python
> > web applications the better.
> >
> > The only problem in saying that is the alternatives don't support
>
> I think there is one more problem in saying that. The number of people
> insisting in using mod_python shows that there is a place for
> something simple like the publisher handler. Even so long time after
> the alternatives have been available and so long time after the
> alternatives advocates have been saying they are much better still
> many of the beginners don't embrace them. And tool kits like Werkzeug
> are not those beginners expected answer. The tendency of the
> frameworks authors trying to get them as complex as possible also do
> not help.
>
> Developers (the good ones) love simplicity. My mod_python/CGI tutorial
> is still growing in visits and CGI is still the visits champion! Not
> saying mod_python should be kept alive, just that there is a clearly
> delimited space for something like the publisher and trying to steer
> the simplicity seekers out of that is not really productive. I'm
> afraid they will just feel like there is no point in going with
> python.
>
> Regards, Clodoaldo
>
> > writing Apache input/output filters nor custom session based
> > authetication/authorisation schemes that cover multiple applications.
> > The latter though will be supported in Apache 2.4 though through
> > mod_session, so no need to be fiddling within using mod_python at that
> > point. You could also right now just use:
> >
> >  http://www.openfusion.com.au/labs/mod_auth_tkt/
> >
> >> Is there a secret to prevent the "browser password pop-up box" and
> redirect
> >> to a html login page? I've spent 3 months
> >> googling and can't find a simple example.
> >
> > For a working form/session based authentication handler, that is that
> > I presume it still works, see:
> >
> >  http://www.modpython.org/pipermail/mod_python/2006-May/021172.html
> >
> > The correct attachment address is:
> >
> >
> http://www.modpython.org/pipermail/mod_python/attachments/20060520/813620d0/sessionmanager.tar.gz
> >
> > See the .htaccess file as to how it all ties together. The _session.py
> > file is also extensively documented.
> >
> > Graham
> >
> >>
> >> Thanks again
> >> Bruce
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Sun, Mar 29, 2009 at 11:23 PM, Graham Dumpleton
> >> <graham.dumpleton at gmail.com> wrote:
> >>>
> >>> 2009/3/29 bruce bushby <bruce.bushby at googlemail.com>:
> >>> > Hi
> >>> >
> >>> > I've been struggling to implement form based user authentication for
> >>> > some
> >>> > time now so I'm posting my progress in the hope that
> >>> > more experienced members will comment and any new starters will save
> >>> > themselves some time.
> >>> >
> >>> > A big thanks to John Calixto for getting back to me and suggesting
> >>> > "AuthType
> >>> > wgtiauth" and "Require wgti-user"
> >>> >
> >>> >
> >>> > The example works as follows:
> >>> > - Attempt to access the protected area gets intercepted by
> >>> > authenhandler, if
> >>> > not authorized redirect to login, if login successful, continue to
> >>> > original
> >>> > url.
> >>> >
> >>> > ...
> >>> >
> >>> > def authenhandler(req):
> >>> >         req.user = "nobody"
> >>> >         req.session = Session.DbmSession(req)
> >>> >
> >>> >         if req.session.is_new():
> >>> >                 req.session['referer'] = "http://mysite" +
> >>> > req.unparsed_uri
> >>> >                 req.session.save()
> >>> >                 util.redirect(req,"http://mysite/login")
> >>> >
> >>> >         if req.session.has_key('authstatus') and
> >>> > req.session['authstatus']
> >>> > == "authenticated":
> >>> >                 return apache.OK
> >>> >
> >>> >         return apache.HTTP_UNAUTHORIZED
> >>>
> >>> Technically this is incorrect/incomplete.
> >>>
> >>> 1. An authentication handler should be checking whether it is the
> >>> handler that should run for the AuthType used. Thus should have the
> >>> following check as first thing done:
> >>>
> >>>  if req.auth_type() != 'wgtiauth':
> >>>    return apache.DECLINED
> >>>
> >>> 2. If the authentication handler successfully authenticated user, only
> >>> then should it be setting req.user. It should not be doing it all the
> >>> time even if authentication failed. It is not technically a good idea
> >>> to be setting it to 'nobody' and it should really be the actual user
> >>> name. That way you can then use other Apache directives such as
> >>> 'Require user'.
> >>>
> >>> 3. If the authentication handler was successful, it should be setting
> >>> req.ap_auth_type to be the authentication type.
> >>>
> >>>  req.ap_auth_type = req.auth_type()
> >>>
> >>> > def authzhandler(req):
> >>> >         if req.user:
> >>> >                 return apache.OK
> >>> >
> >>> >         return apache.HTTP_UNAUTHORIZED
> >>>
> >>> Your whole authorisation handler is not needed, so get rid of:
> >>>
> >>>                Require wgti-user
> >>>                PythonAuthzHandler authsession
> >>>
> >>> and replace it with:
> >>>
> >>>                Require valid-user
> >>>
> >>> As I said before though, you should only be setting req.user if user
> >>> authenticated properly.
> >>>
> >>> Graham
> >>
> >>
> >
> > _______________________________________________
> > Mod_python mailing list
> > Mod_python at modpython.org
> > http://mailman.modpython.org/mailman/listinfo/mod_python
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20090330/d448c0ed/attachment.html


More information about the Mod_python mailing list