On Jun 29, 6:34 pm, Graham Dumpleton <[email protected]> wrote: > You don't need to use that apache.request_rec workaround as from > mod_wsgi 3.X onwards the ability to access SSL information is > supported.
This isn't a wsgi application though, so I don't have access to environ via WSGIAccessScript, that's why I tried to use that patch. We are using Apache itself to serve all the files in this DIrectory, we just want to protect access to it based on the client cert, and need to use a python program to verify that. Is there a way to use WSGIScriptAlias and then somehow turn control back over to Apache to finish handling the request and actually serve the files? > The WSGIAccessScript is equivalent to an Apache access handler, which > comes before an authen handler which you used in mod_python. If the > information isn't available in the access handler phase in Apache, > then must be due to where in request processing phases Apache actually > deals with the SSL certificate and populates the information. Ok, that makes sense. > The authen handler, ie., WSGIAuthUserScript in mod_wsgi is for the > specific purpose of authenticating a user and can't be used (abused) > in a generic manner like authenhandler often was in mod_python. > > I can't remember right now whether there is a way of faking out Apache > to run it anyway. You might be able to cheat by using mod_headers to > insert a fake 'Authorization' header with dummy credentials. It will > then call the WSGIAuthUserScript to validate and you can validate > certificate. Only problem is that you can only say yes or no and if no > it will result in authorisation required HTTP status returned which > isn't going to be what you want. Maybe I can make use of WSGIAuthUserScript somehow. There is a configuration for mod_ssl of SSLOptions +FakeBasicAuth, that makes any request that uses a client cert appear as basic auth. At least then I can get the script I specify with WSGIAuthUserScript to run. But, you're right, I 'd need to find a way to make it return a 403 Forbidden instead of the 401 Auth Required. Thanks for your help! -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
