|
bruce bushby
bruce.bushby at googlemail.com
Mon Mar 30 11:06:32 EDT 2009
I'm a complete novice but from what I've seen I really enjoy mod_python, mostly because I'm hacking about at home, hosting on my broadband and don't need anything more then the most simple solution possible. However, if I were tasked with developing a large commercial web app in python, I would adopt mod_wsgi, so to me I see both modules having a long life. I'd go so far as to say that the python language and the wsgi spec need mod_python. I'm surprised there was a need for "PEP 333" when there appears to be very little interest in mod_python. I say very little interest because when compared to php, mod_python uptake is neglegable which surprises me because php as a language can hardly compare to python. On Mon, Mar 30, 2009 at 2:23 PM, Clodoaldo Pinto Neto < clodoaldo.pinto.neto at gmail.com> wrote: > 2009/3/30 Graham Dumpleton <graham.dumpleton at gmail.com>: > > 2009/3/30 bruce bushby <bruce.bushby at googlemail.com>: > >> Hi Graeme > >> > >> Thanks for the feedback. The issue I've been stuck with ( for 3 months > now) > >> is how to prevent the "browser pop-up" user/password dialog box. > >> I've tried so many combinations, but every time I have "AuthType > >> Basic/Require valid-user" set, the browser pops up the login dialog box > but > >> I want > >> "html form login/authentication" > > > > Try setting: > > > > AuthBasicAuthoritative Off > > > > in Apache configuration. > > > > But then, if you aren't setting AuthType to be Basic, this shouldn't > > be an issue. > > > >> req.user = "nobody" was set as a place holder because without it I get: > >> [ req->user is NULL. Assign something to req.user if returning OK to > avoid > >> this error ] > > > > Even as a place holder, didn't need to be set in all cases and could > > cause an issue if there were multiple authentication handlers being > > executed. > > > >> I've just tried the following: > >> AuthType session > >> AuthName "members" > >> Require valid-session > > > > The Require isn't much point if you haven't written an authorization > > handler that understands valid-session. > > > >> ...and it works......but only if I "set req.user = nobody" as a temp > place > >> holder...or I get the req->user is NULL error > >> > >> > >> I'll admit I don't have a clue....I got this far by trial and error, > which > >> is not very efficient.....I'm waiting for your book ...hint hint :)) > > > > I will not be writing a book on mod_python. IMHO mod_python is dying > > and the quicker people stop using it and shift to WSGI based Python > > web applications the better. > > > > The only problem in saying that is the alternatives don't support > > I think there is one more problem in saying that. The number of people > insisting in using mod_python shows that there is a place for > something simple like the publisher handler. Even so long time after > the alternatives have been available and so long time after the > alternatives advocates have been saying they are much better still > many of the beginners don't embrace them. And tool kits like Werkzeug > are not those beginners expected answer. The tendency of the > frameworks authors trying to get them as complex as possible also do > not help. > > Developers (the good ones) love simplicity. My mod_python/CGI tutorial > is still growing in visits and CGI is still the visits champion! Not > saying mod_python should be kept alive, just that there is a clearly > delimited space for something like the publisher and trying to steer > the simplicity seekers out of that is not really productive. I'm > afraid they will just feel like there is no point in going with > python. > > Regards, Clodoaldo > > > writing Apache input/output filters nor custom session based > > authetication/authorisation schemes that cover multiple applications. > > The latter though will be supported in Apache 2.4 though through > > mod_session, so no need to be fiddling within using mod_python at that > > point. You could also right now just use: > > > > http://www.openfusion.com.au/labs/mod_auth_tkt/ > > > >> Is there a secret to prevent the "browser password pop-up box" and > redirect > >> to a html login page? I've spent 3 months > >> googling and can't find a simple example. > > > > For a working form/session based authentication handler, that is that > > I presume it still works, see: > > > > http://www.modpython.org/pipermail/mod_python/2006-May/021172.html > > > > The correct attachment address is: > > > > > http://www.modpython.org/pipermail/mod_python/attachments/20060520/813620d0/sessionmanager.tar.gz > > > > See the .htaccess file as to how it all ties together. The _session.py > > file is also extensively documented. > > > > Graham > > > >> > >> Thanks again > >> Bruce > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> On Sun, Mar 29, 2009 at 11:23 PM, Graham Dumpleton > >> <graham.dumpleton at gmail.com> wrote: > >>> > >>> 2009/3/29 bruce bushby <bruce.bushby at googlemail.com>: > >>> > Hi > >>> > > >>> > I've been struggling to implement form based user authentication for > >>> > some > >>> > time now so I'm posting my progress in the hope that > >>> > more experienced members will comment and any new starters will save > >>> > themselves some time. > >>> > > >>> > A big thanks to John Calixto for getting back to me and suggesting > >>> > "AuthType > >>> > wgtiauth" and "Require wgti-user" > >>> > > >>> > > >>> > The example works as follows: > >>> > - Attempt to access the protected area gets intercepted by > >>> > authenhandler, if > >>> > not authorized redirect to login, if login successful, continue to > >>> > original > >>> > url. > >>> > > >>> > ... > >>> > > >>> > def authenhandler(req): > >>> > req.user = "nobody" > >>> > req.session = Session.DbmSession(req) > >>> > > >>> > if req.session.is_new(): > >>> > req.session['referer'] = "http://mysite" + > >>> > req.unparsed_uri > >>> > req.session.save() > >>> > util.redirect(req,"http://mysite/login") > >>> > > >>> > if req.session.has_key('authstatus') and > >>> > req.session['authstatus'] > >>> > == "authenticated": > >>> > return apache.OK > >>> > > >>> > return apache.HTTP_UNAUTHORIZED > >>> > >>> Technically this is incorrect/incomplete. > >>> > >>> 1. An authentication handler should be checking whether it is the > >>> handler that should run for the AuthType used. Thus should have the > >>> following check as first thing done: > >>> > >>> if req.auth_type() != 'wgtiauth': > >>> return apache.DECLINED > >>> > >>> 2. If the authentication handler successfully authenticated user, only > >>> then should it be setting req.user. It should not be doing it all the > >>> time even if authentication failed. It is not technically a good idea > >>> to be setting it to 'nobody' and it should really be the actual user > >>> name. That way you can then use other Apache directives such as > >>> 'Require user'. > >>> > >>> 3. If the authentication handler was successful, it should be setting > >>> req.ap_auth_type to be the authentication type. > >>> > >>> req.ap_auth_type = req.auth_type() > >>> > >>> > def authzhandler(req): > >>> > if req.user: > >>> > return apache.OK > >>> > > >>> > return apache.HTTP_UNAUTHORIZED > >>> > >>> Your whole authorisation handler is not needed, so get rid of: > >>> > >>> Require wgti-user > >>> PythonAuthzHandler authsession > >>> > >>> and replace it with: > >>> > >>> Require valid-user > >>> > >>> As I said before though, you should only be setting req.user if user > >>> authenticated properly. > >>> > >>> Graham > >> > >> > > > > _______________________________________________ > > Mod_python mailing list > > Mod_python at modpython.org > > http://mailman.modpython.org/mailman/listinfo/mod_python > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20090330/d448c0ed/attachment.html
|