You don't need to use that apache.request_rec workaround as from
mod_wsgi 3.X onwards the ability to access SSL information is
supported.
You can use code like:
is_https = environ['mod_ssl.is_https']
var_lookup = environ['mod_ssl.var_lookup']
# Are we running under SSL.
if is_https():
...
# Lookup SSL variables.
organisation = var_lookup("SSL_SERVER_I_DN_O")
The WSGIAccessScript is equivalent to an Apache access handler, which
comes before an authen handler which you used in mod_python. If the
information isn't available in the access handler phase in Apache,
then must be due to where in request processing phases Apache actually
deals with the SSL certificate and populates the information.
The authen handler, ie., WSGIAuthUserScript in mod_wsgi is for the
specific purpose of authenticating a user and can't be used (abused)
in a generic manner like authenhandler often was in mod_python.
I can't remember right now whether there is a way of faking out Apache
to run it anyway. You might be able to cheat by using mod_headers to
insert a fake 'Authorization' header with dummy credentials. It will
then call the WSGIAuthUserScript to validate and you can validate
certificate. Only problem is that you can only say yes or no and if no
it will result in authorisation required HTTP status returned which
isn't going to be what you want.
Graham
On 30 June 2011 02:03, James Slagle <[email protected]> wrote:
> One other thing to note is that I tried using basic auth instead of
> host access, and I was able to get access to the client cert. So, in
> my config I just changed:
>
> WSGIAccessScript /home/jslagle/devel/access.wsgi
>
> to:
>
> WSGIAuthUserScript /home/jslagle/devel/access.wsgi
>
> And I changed my access.wsgi to:
>
> #!/usr/bin/python
>
> import ssl_engine_vars
>
> def check_password(environ, user, password):
> request_rec = environ['apache.request_rec']
> cert = ssl_engine_vars.var_lookup(request_rec, "SSL_CLIENT_CERT")
> # Do some cert validation
> return True
>
> In this case, the cert variable above contained the client
> certificate, doing the exact same request as before. We don't want to
> use basic auth here, but I didn't know if this might shed some light
> on my issue at all. There seems to be some difference as to if the
> client cert is available between WSGIAccessScript and
> WSGIAuthUserScript.
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/modwsgi?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/modwsgi?hl=en.
