[patch] HttpAuthStore authentication enhancement
|Reported by:||Dennis McRitchie <dmcr@…>||Owned by:||hasienda|
I have been working on getting HttpAuthStore authentication working with Trac 0.12.1 and Apache under WSGI. The main difficulty was that the file identified by the authentication_url directive had to exist and be successfully fetched. And fetching static files under WSGI (but also under mod_python) can be difficult to configure.
So for example, it is possible to put a file called 'authFile' in a project's htdocs directory, but then one has to know that the trac.ini directive would need to be set to:
authentication_url = https://server.domain.com/trac/chrome/site/authFile
and the Apache <Location> directive would need to be configured as:
This is not intuitive. Also, the current requirement for being able to successfully fetch 'authFile' is not really necessary, since it does not guarantee true authentication. That is, if the <Location> directive is incorrectly configured, it will be possible to 'successfully' authenticate with an invalid password, as long as authentication_url points to an existing file.
And it is somewhat inconvenient that authentication_url values must be absolute URLs.
So in the attached patch to http.py, I test for a 404 error code, and allow this to signal a successful authentication attempt, which it will be as long as the <Location> directive is correctly set. This then allows one to more closely mimic the Trac's native login support, where the server-relative URL is '/login'. So, in combination with allowing server-relative URLs (as well as true relative URLs, just to be consistent with the [header_logo]'s 'src' directive), one can now simply set authentication_url to '/authFile' and similarly set the <Location> directive to '/authFile'.
In the case of supporting multiple Trac projects, these could become:
authentication_utl = /project1/authFile
One can of course use the Apache 'Alias' directive, or use the 'SetHandler' directive to reset the Apache content handler to 'None', but this seems needlessly complicated.
Ideally, one would have a handler for the resource identified by the authentication_url directive, but I don't know how to do that; and the only drawback to this approach, I believe, is that there will be HTTPNotFound warnings in the log files if the user points to a non-existent file.
Let me know what you think.
Change History (15)
Changed 3 years ago by Dennis McRitchie <dmcr@…>
comment:4 Changed 3 years ago by hasienda
- Status changed from new to assigned
- Summary changed from HttpAuthStore authentication enhancement (with patch) to [patch] HttpAuthStore authentication enhancement