On 30 June 2011 21:46, James Slagle <[email protected]> wrote: > > > On Jun 29, 6:34 pm, Graham Dumpleton <[email protected]> > wrote: >> You don't need to use that apache.request_rec workaround as from >> mod_wsgi 3.X onwards the ability to access SSL information is >> supported. > > This isn't a wsgi application though, so I don't have access to > environ via WSGIAccessScript,
Yes you do. The first argument to allow_acess is an environ dictionary. It is similar to what a WSGI application later gets but doesn't have as much information in it. It should have the SSL functions hooks. > that's why I tried to use that patch. > We are using Apache itself to serve all the files in this DIrectory, > we just want to protect access to it based on the client cert, and > need to use a python program to verify that. Is there a way to use > WSGIScriptAlias and then somehow turn control back over to Apache to > finish handling the request and actually serve the files? > >> The WSGIAccessScript is equivalent to an Apache access handler, which >> comes before an authen handler which you used in mod_python. If the >> information isn't available in the access handler phase in Apache, >> then must be due to where in request processing phases Apache actually >> deals with the SSL certificate and populates the information. > > Ok, that makes sense. > >> The authen handler, ie., WSGIAuthUserScript in mod_wsgi is for the >> specific purpose of authenticating a user and can't be used (abused) >> in a generic manner like authenhandler often was in mod_python. >> >> I can't remember right now whether there is a way of faking out Apache >> to run it anyway. You might be able to cheat by using mod_headers to >> insert a fake 'Authorization' header with dummy credentials. It will >> then call the WSGIAuthUserScript to validate and you can validate >> certificate. Only problem is that you can only say yes or no and if no >> it will result in authorisation required HTTP status returned which >> isn't going to be what you want. > > Maybe I can make use of WSGIAuthUserScript somehow. There is a > configuration for mod_ssl of SSLOptions +FakeBasicAuth, that makes > any request that uses a client cert appear as basic auth. At least > then I can get the script I specify with WSGIAuthUserScript to run. > But, you're right, I 'd need to find a way to make it return a 403 > Forbidden instead of the 401 Auth Required. You aren't the first to ask for being able to return different status. Problem was a clean way of doing it. A similar thing people have wanted to do is update r.user for Apache request object. Most recent idea has just been to allow assignment back into environ of 'REMOTE_USER' to override it. Eg. environ['REMOTE_USER'] = 'xxx' One could do a similar thing with HTTP status. Maybe: environ['STATUS'] = 403 So, using the environ dictionary as back channel. Graham -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
