[ http://issues.apache.org/jira/browse/MODPYTHON-47?page=all ]
Graham Dumpleton updated MODPYTHON-47:
--------------------------------------
Attachment: MP47_20060309_grahamd_2.diff
Attached alternate suggested fix as "MP47_20060309_grahamd_2.diff".
I should have just done it this way to begin with.
What this does is simply not try and do anything with the Authorization header
unless either __auth__ or __access_ are actually found. Ie., the fix I
originally described, rather than my latter obsession with req.ap_auth_type.
This means that if one has __auth__ or __access__ and Apache configuration
still uses digest authentication it will fail. But if one knows one is using
digest authentication support in mod_auth, you would not be using the publisher
auth support anyway as they would conflict.
I agree that authentication should not be part of publisher, but can't do
anything about that now. Apache has a really good concept of phases yet just
about everything merely uses mod_python as a hopping off point at content
handler phase and does everything in that one phase. :-(
> Digest Authorization header causes bad request error.
> -----------------------------------------------------
>
> Key: MODPYTHON-47
> URL: http://issues.apache.org/jira/browse/MODPYTHON-47
> Project: mod_python
> Type: Bug
> Components: publisher
> Versions: 3.1.4
> Reporter: Graham Dumpleton
> Assignee: Graham Dumpleton
> Priority: Minor
> Attachments: MP47_20060307_grahamd_1.diff, MP47_20060309_grahamd_2.diff
>
> If Apache is used to perform authentication, the Authorization header still
> gets
> passed through to mod_python.publisher. Unfortunately, mod_python.publisher
> authentication code in process_auth() will attempt to decode the contents of
> the
> Authorization header even if there are no __auth__ or __access__ hooks defined
> for authentication and access control within the published code itself.
> The consequence of this is that if Digest authentication is used for AuthType
> at level of Apache authentication, the process_auth() code will raise a bad
> request
> error as it assumes Authorization header is always in format for Basic
> authentication
> type and when it can't decode it, it raises an error.
> What should happen is that any decoding of Authorization should only be done
> if there is a __auth__ or __access__ hook that actually requires it. That
> way, if some
> one uses Digest authentication at Apache configuration file level, provided
> that no
> __auth__ or __access__ hooks are provided, there wouldn't be a problem.
> See:
> http://www.modpython.org/pipermail/mod_python/2005-April/017911.html
> http://www.modpython.org/pipermail/mod_python/2005-April/017912.html
> for additional information.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
