6

I need to use apache basic authentication for part of my application. I would like to get the authenticated username from apache, but I cannot seem to find where to access it. I can see the username in the apache log, so I know it's there somewhere. After the user is authenticated by apache, the request is sent via proxy to a cherrypy server.

Here is the section of my apache vhost config:

<Location /ical>
  AuthType Basic
  AuthBasicProvider ldap
  AuthName "Example Calendar Login"
  AuthLDAPUrl "ldaps://ldap.example.net/ou=People,dc=example,dc=net?uid"
  Require valid-user

  ProxyPass http://localhost:8082/                                                                                                                                                                                                     
  ProxyPassReverse http://localhost:8082/                                                                                                                                                                                              
  SetEnv proxy-nokeepalive 1
</Location>

The user authentication and proxy bit is working just fine. Once the request is authenticated and sent to cherrypy, here are the headers I have in cherrypy:

(Pdb) pp cherrypy.request.headers
{'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
 'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
 'Accept-Encoding': 'gzip,deflate',
 'Accept-Language': 'en-us,en;q=0.5',
 'Authorization': 'Basic xxxxxxxxxxx',
 'Connection': 'close',
 'Host': 'sub.example.net',
 'If-None-Match': 'e5b0879ce68fcce5b960ce4281c8d706',
 'Remote-Addr': '10.132.32.86',
 'User-Agent': 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10',
 'X-Forwarded-For': 'xx.xx.xx.xx, xx.xx.xx.xx',
 'X-Forwarded-Host': 'sub.example.net, sub.example.net',
 'X-Forwarded-Server': 'sub.example.net, sub'}

Can anyone help me access the username from apache basic auth?

adam
  • 163
  • 1
  • 1
  • 7

2 Answers2

7

I have added a header to pass the authenticated user based on apache.

RewriteEngine On
RewriteCond %{REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [E=R_U:%1]
RequestHeader set X-Remote-User %{R_U}e
Marco
  • 71
  • 1
  • 1
  • thanks! This actually works. mod_headers needs to be enabled for anyone getting an error when trying this. – beginner_ Jul 10 '18 at 08:30
  • You can and should replace `RewriteRule ^(.*)$ - [E=R_U:%1]` with `RewriteRule ^ - [E=R_U:%1]`. This `^(.*)$` means that apache will have to _scan_ and _store_ the entire request URI (available in $1), but you don't use it. So by replacing with `^` you are saying "do this to every request which has a "start-of-line" - which is everything - and will be _way_ faster. ymmv – sastorsl Dec 12 '20 at 09:42
6

Your cherrypy application is receiving the Basic Auth information, since we see this in the headers:

'Authorization': 'Basic xxxxxxxxxxxxxxxxxxxxxx==',

You just need to:

  1. decode the Base64 string 'xxxxxxxxxxxxxxxxxxxxxx==', and
  2. extract the username from the decoded username:password string.

Since this isn't stackoverflow ;) , I won't bother giving an exact python implementation of the above, but it should get you started. The Wikipedia entry on Basic access authentication is quite informative and contains code snippets in various languages.

(Just a security note about this question: If you used a real username/password in generating the headers included in your question, be aware that you have revealed it to the world in the text of the 'Authorization' header above, since anyone who wants to can trivially decode it!)

Edit: I have 'x'-ed out the Authorization string.

Steven Monday
  • 13,019
  • 4
  • 35
  • 45