Apache Authentication & Authorization

[djmurf]

I believe I know the answer to this question, but I want to throw it
out there anyway.

I'm needing to implement an auth & auth module for apache, that is
pretty dynamic. Needs to talk to an existing backend token store, and
offer basic, form, certificate auth, etc.

I already have a working plugin using mod_python, but obviously that
is a dead project, and I don't know how long I can continue to run on
it.

I've already reviewed the documents on the auth features for apache in
mod_wsgi, and it appears my only choices with it are Basic and Digest
Auth, success or failure.

Is there any plans in the future to support more advanced auth & auth
functionality using mod_wsgi in apache? If no, would anyone have any
suggestions on an alternative? I would really prefer to stick with
python if possible!

Thanks for any assistance.

Dean

[Graham Dumpleton]

Go have a look at mod_auth_tkt.

In general that is a better option for what you want.

http://www.openfusion.com.au/labs/mod_auth_tkt/

Graham

> --
> You received this message because you are subscribed to the Google Groups "modwsgi" group.
> To post to this group, send email to mod...@googlegroups.com.
> To unsubscribe from this group, send email to modwsgi+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
>
>

[djmurf]

Thank you for the input. 

I have already looked at mod_auth_tkt, and unfortunately the one disadvantage that they advertise is no basic auth support, and that is one of the auth schemes that I do have to support. 

Plus I have to tie this into an existing SSO system that generates it's own tokens, and I understand that mod_auth_tkt generates it's own tokens internally. 

I do appreciate the suggestion!

Dean 

[Graham Dumpleton]

On 3 September 2011 04:41, djmurf <djm...@gmail.com> wrote:
> Thank you for the input.
> I have already looked at mod_auth_tkt, and unfortunately the one
> disadvantage that they advertise is no basic auth support, and that is one
> of the auth schemes that I do have to support.

It says:

Drop-in replacement for Basic Authentication: mod_auth_tkt sets the
Basic Authentication REMOTE_USER environment variable on authorised
requests, so that existing scripts that work with Basic Authentication
should work unchanged in a mod_auth_tkt environment.

which to me says they do support it, they might just implement it
themselves rather than hooking in to Apache 2.2 auth providers. Should
still do what is required though.

Did you try it?

Where did you see that it does not support it?

Graham

> Plus I have to tie this into an existing SSO system that generates it's own
> tokens, and I understand that mod_auth_tkt generates it's own tokens
> internally.
> I do appreciate the suggestion!
> Dean
>

> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.

> To view this discussion on the web visit
> https://groups.google.com/d/msg/modwsgi/-/OaMQf6ZtwJgJ.

[djmurf]

I may have misspoken... what I read:

  Requires cookies: browsers without cookie support will never have a valid ticket and will therefore never be authorised by mod_auth_tkt. There are no current plans to support non-cookie-based authentication.

While true, it does support "basic" auth, I was more thinking along the terms of automation where basic authentication is used to access a resource, say a curl request, etc. 

If I understand this statement, my curl with basic auth would be "accepted", and the response would contain a set-cookie with the token, the access would be denied unless I went through multiple steps with curl or some automation system to store the cookie, then present it to access the protected resource. 

I really should have written in my reply, I need to be able to support non-cookie-based authentication using basic auth. 

Sorry for the confusion. 

Dean