Re: [modwsgi] Migrating from mod_python (PythonAccessHandler) to mod_wsgi
202 views
Skip to first unread message
Graham Dumpleton
Oct 14, 2012, 10:52:53 PM10/14/12
to mod...@googlegroups.com
The restriction on what mod_wsgi WSGIUserAuthScript does is because it
is implementing an Apache authentication provider and not a full
Apache handler. As such it isn't possible to override the status. That
is because of how Apache authentication providers work and not
mod_wsgi. The WSGIAccessScript is principally to do the equivalent of
'All from host' so all it can do is signal whether forbidden or not.
Anyway, post your existing mod_python access handler and may be able
to suggest something. If you were using an access handler to do
authentication you were technically abusing Apache in ways you
shouldn't. So not sure if will though have an answer.
Graham
On 15 October 2012 12:38, Noorul Islam Kamal Malmiyoda
<noo...@noorul.com> wrote:
> Hello all,
>
> In my current mod_python setup I have configured to serve some static files.
> See below snippet from httpd.conf
>
> Alias /files /path/to/static/files/folder
>
> <Location /files>
> DirectoryIndex .files_index.html
> AuthType Basic
> AuthName "Library"
> PythonPath "sys.path + ...."
> PythonAccessHandler modpython_fileauth
> PythonDebug Off
> FileETag None
> Header unset ETag
> Header set Cache-Control "max-age=0, private"
> Header set Expires "0"
> </Location>
>
> But these files can only be accessed by users based on some conditions. And
> these conditions are coded in modpython_fileauth. User can only see the
> Basic Auth pop-up based on some conditions because some of the paths based
> on several other conditions does not require authentication. This is
> achieved using req.get_basic_auth_pw() in mod_python. I am struggling to
> port this to mod_wsgi.
>
> As far as I know, it looks like mod_wsgi has two directives
> WSGIUserAuthScript and WSGIAccessScript. But these two have restrictions.
> From the corresponding python functions I am not able to request for Basic
> Auth from browser. Yes, I can send 401 from application because it has
> start_response, but that is not possible from these methods because it is
> expecting to return True or False. And in the case of WSGIUserAuthScript the
> corresponding method is not called if "Require valid-user" is not set. I
> think it is not ideal to do something like this using wsgi application as I
> want Apache to serve all my files and python to do some validation before
> that.
>
> It will be helpful if those who encountered something similar could share
> their thoughts on this.
>
> Thanks and Regards
> Noorul
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/modwsgi/-/qLCR91QL1x0J.
> To post to this group, send email to mod...@googlegroups.com.
> To unsubscribe from this group, send email to
> modwsgi+u...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/modwsgi?hl=en.
is implementing an Apache authentication provider and not a full
Apache handler. As such it isn't possible to override the status. That
is because of how Apache authentication providers work and not
mod_wsgi. The WSGIAccessScript is principally to do the equivalent of
'All from host' so all it can do is signal whether forbidden or not.
Anyway, post your existing mod_python access handler and may be able
to suggest something. If you were using an access handler to do
authentication you were technically abusing Apache in ways you
shouldn't. So not sure if will though have an answer.
Graham
On 15 October 2012 12:38, Noorul Islam Kamal Malmiyoda
<noo...@noorul.com> wrote:
> Hello all,
>
> In my current mod_python setup I have configured to serve some static files.
> See below snippet from httpd.conf
>
> Alias /files /path/to/static/files/folder
>
> <Location /files>
> DirectoryIndex .files_index.html
> AuthType Basic
> AuthName "Library"
> PythonPath "sys.path + ...."
> PythonAccessHandler modpython_fileauth
> PythonDebug Off
> FileETag None
> Header unset ETag
> Header set Cache-Control "max-age=0, private"
> Header set Expires "0"
> </Location>
>
> But these files can only be accessed by users based on some conditions. And
> these conditions are coded in modpython_fileauth. User can only see the
> Basic Auth pop-up based on some conditions because some of the paths based
> on several other conditions does not require authentication. This is
> achieved using req.get_basic_auth_pw() in mod_python. I am struggling to
> port this to mod_wsgi.
>
> As far as I know, it looks like mod_wsgi has two directives
> WSGIUserAuthScript and WSGIAccessScript. But these two have restrictions.
> From the corresponding python functions I am not able to request for Basic
> Auth from browser. Yes, I can send 401 from application because it has
> start_response, but that is not possible from these methods because it is
> expecting to return True or False. And in the case of WSGIUserAuthScript the
> corresponding method is not called if "Require valid-user" is not set. I
> think it is not ideal to do something like this using wsgi application as I
> want Apache to serve all my files and python to do some validation before
> that.
>
> It will be helpful if those who encountered something similar could share
> their thoughts on this.
>
> Thanks and Regards
> Noorul
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/modwsgi/-/qLCR91QL1x0J.
> To post to this group, send email to mod...@googlegroups.com.
> To unsubscribe from this group, send email to
> modwsgi+u...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/modwsgi?hl=en.
Noorul Islam Kamal Malmiyoda
Oct 16, 2012, 2:43:00 AM10/16/12
to mod...@googlegroups.com
On Monday, October 15, 2012 8:22:55 AM UTC+5:30, Graham Dumpleton wrote:
The restriction on what mod_wsgi WSGIUserAuthScript does is because it
is implementing an Apache authentication provider and not a full
Apache handler. As such it isn't possible to override the status. That
is because of how Apache authentication providers work and not
mod_wsgi. The WSGIAccessScript is principally to do the equivalent of
'All from host' so all it can do is signal whether forbidden or not.
Anyway, post your existing mod_python access handler and may be able
to suggest something. If you were using an access handler to do
authentication you were technically abusing Apache in ways you
shouldn't. So not sure if will though have an answer.
I am not sure whether I am supposed to share the code. But definitely I can tell what the code does.
def accesshandler(req):
return authenhandler(req)
def authenhandler(req):
do_house_keeping()
authenticated = do_cookie_auth(req) # This is done even without a user entering username and password.
if authenticated == False:
pw = req.get_basic_auth_pw() # Here is were we are asking the client for username and password.
I think from the above snippet it is very clear, what I am doing.
Thanks and Regards
Noorul
Noorul Islam Kamal Malmiyoda
Oct 17, 2012, 9:50:44 PM10/17/12
to mod...@googlegroups.com
On Monday, October 15, 2012 8:22:55 AM UTC+5:30, Graham Dumpleton wrote:
The restriction on what mod_wsgi WSGIUserAuthScript does is because it
is implementing an Apache authentication provider and not a full
Apache handler. As such it isn't possible to override the status. That
is because of how Apache authentication providers work and not
mod_wsgi. The WSGIAccessScript is principally to do the equivalent of
'All from host' so all it can do is signal whether forbidden or not.
Anyway, post your existing mod_python access handler and may be able
to suggest something. If you were using an access handler to do
authentication you were technically abusing Apache in ways you
shouldn't. So not sure if will though have an answer.
What I am looking for is to get hold of access_checker phase of apache. See http://ci.apache.org/projects/httpd/trunk/doxygen/group__hooks.html
It that possible using mod_wsgi?
Thanks and Regards
Noorul
Graham Dumpleton
Oct 19, 2012, 10:54:34 PM10/19/12
to mod...@googlegroups.com
It is not possible to do what you want in mod_wsgi as it doesn't aim
to provide a full on mechanism of writing arbitrary Apache handlers
for the different Apache phases.
For anything related to login and session management, suggest you look at:
http://www.openfusion.com.au/labs/mod_auth_tkt/
or if using Apache 2.4, the new mod_session module.
Also learn any necessary Apache configuration mechanism such as
mod_headers, mod_rewrite etc, so as to be able to do this sort of
thing in Apache itself in some way in conjunction with mod_session or
mod_auth_kit.
Graham
On 18 October 2012 12:50, Noorul Islam Kamal Malmiyoda
> https://groups.google.com/d/msg/modwsgi/-/zWQHSissBzIJ.
to provide a full on mechanism of writing arbitrary Apache handlers
for the different Apache phases.
For anything related to login and session management, suggest you look at:
http://www.openfusion.com.au/labs/mod_auth_tkt/
or if using Apache 2.4, the new mod_session module.
Also learn any necessary Apache configuration mechanism such as
mod_headers, mod_rewrite etc, so as to be able to do this sort of
thing in Apache itself in some way in conjunction with mod_session or
mod_auth_kit.
Graham
On 18 October 2012 12:50, Noorul Islam Kamal Malmiyoda
Reply all
Reply to author
Forward
0 new messages