Thursday, February 3, 2011

Authorisation in mod_wsgi

I have the following setup,

WSGIScriptAlias /i C:/Project/Scripts/hello.wsgi
WSGIScriptAlias /hello C:/Project/Scripts/hello.wsgi

<Directory "C:/Project/Scripts">
 Order deny,allow
 Allow from all
</Directory>

<Location /i>
 AuthType Basic
 AuthName "Top Secret"
 AuthBasicProvider wsgi
 WSGIAuthUserScript C:/Project/Scripts/authn.wsgi
 WSGIAccessScript C:/Project/Scripts/auths.wsgi
 Require valid-user
</Location>

<Location /hello>
 AuthType Basic
 AuthName "Top Secret"
 AuthBasicProvider wsgi
 WSGIAuthUserScript C:/Project/Scripts/authn.wsgi
 Require valid-user
</Location>

authn

def check_password(environ, user, password):
 if user == 'admin' or user == 'spy':
  if password == 'secret':
   return True
  return False
 return None

auths

def allow_access(environ, host):
 if environ.get('REMOTE_USER'): 
  if environ['REMOTE_USER'] == 'admin':
   return True
 return False

Requests for _http://localhost/hello pop the login request as expected ... it works fine!

Requests for _http://localhost/i don't pop login and return 403 Forbidden

Am i missing something?! isn't WSGIAccessScript supposed to do authorisation?!

thank you :\

EDIT

i get the error that the key 'REMOTE_USER'.

i supose the auth script isn't running :S

EDIT

i was testing this to do authorisation of multiple subversion repositories based on db information,

there is a way to do this returning 403 forbidden if authenticated and not authorised ?!

i know this is possible with mod_python but i didnt't want to mix mod_python with mod_wsgi.

From serverfault fampinheiro

  • No, WSGIAccessScript is not for user authorisation, it is purely for host based access control independent of whether a user has been authenticated or authorised. User authorisation is handled using WSGIAuthGroupScript directive. See:

    http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms#Apache_Group_Authorisation

    fampinheiro : i started by using WSGIAuthGroupScript but the behaviour wasn't the expected. 401 return when i was expecting 403 Forbidden. i understand that this is an apache limitation, so i tried WSGIAccessScript cause i thought REMOTE_USER was available(silly me!). thank you for your response.
    Graham Dumpleton : It isn't really an Apache limitation as that is how HTTP auth mechanisms are meant to work. That is, you are meant to provide a user a further opportunity to supply new credentials. If you return 403 you deny a user that ability. Thus returning 403 is really an abuse of the HTTP auth mechanism.
    From Graham Dumpleton
Posted by Ku XI at 8:46 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)