Authorisation in mod_wsgi

Question

I have the following setup,

WSGIScriptAlias /i C:/Project/Scripts/hello.wsgi
WSGIScriptAlias /hello C:/Project/Scripts/hello.wsgi

<Directory "C:/Project/Scripts">
 Order deny,allow
 Allow from all
</Directory>

<Location /i>
 AuthType Basic
 AuthName "Top Secret"
 AuthBasicProvider wsgi
 WSGIAuthUserScript C:/Project/Scripts/authn.wsgi
 WSGIAccessScript C:/Project/Scripts/auths.wsgi
 Require valid-user
</Location>

<Location /hello>
 AuthType Basic
 AuthName "Top Secret"
 AuthBasicProvider wsgi
 WSGIAuthUserScript C:/Project/Scripts/authn.wsgi
 Require valid-user
</Location>

authn

def check_password(environ, user, password):
 if user == 'admin' or user == 'spy':
  if password == 'secret':
   return True
  return False
 return None

auths

def allow_access(environ, host):
 if environ.get('REMOTE_USER'): 
  if environ['REMOTE_USER'] == 'admin':
   return True
 return False

Requests for _http://localhost/hello pop the login request as expected ... it works fine!

Requests for _http://localhost/i don't pop login and return 403 Forbidden

Am i missing something?! isn't WSGIAccessScript supposed to do authorisation?!

thank you :\

EDIT

i get the error that the key 'REMOTE_USER'.

i supose the auth script isn't running :S

EDIT

i was testing this to do authorisation of multiple subversion repositories based on db information,

there is a way to do this returning 403 forbidden if authenticated and not authorised ?!

i know this is possible with mod_python but i didnt't want to mix mod_python with mod_wsgi.

As a side note, you can replace the entire body of your `allow_access` function with `return environ.get('REMOTE_USER') == 'admin'`. — David Z, Jul 18 '10 at 21:41

score 0 · Accepted Answer · answered Jul 18 '10 at 22:59

0

No, WSGIAccessScript is not for user authorisation, it is purely for host based access control independent of whether a user has been authenticated or authorised. User authorisation is handled using WSGIAuthGroupScript directive. See:

http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms#Apache_Group_Authorisation

answered Jul 18 '10 at 22:59

Graham Dumpleton

5,990
2
20
19

i started by using WSGIAuthGroupScript but the behaviour wasn't the expected. 401 return when i was expecting 403 Forbidden. i understand that this is an apache limitation, so i tried WSGIAccessScript cause i thought REMOTE_USER was available(silly me!). thank you for your response. – Filipe Pinheiro Jul 19 '10 at 09:18
It isn't really an Apache limitation as that is how HTTP auth mechanisms are meant to work. That is, you are meant to provide a user a further opportunity to supply new credentials. If you return 403 you deny a user that ability. Thus returning 403 is really an abuse of the HTTP auth mechanism. – Graham Dumpleton Jul 19 '10 at 11:41

Authorisation in mod_wsgi

1 Answers1