id,summary,reporter,owner,description,type,status,priority,component,severity,resolution,keywords,cc,release
9618,[patch] HttpAuthStore authentication enhancement,Dennis McRitchie <dmcr@princeton.edu>,hasienda,I have been working on getting !HttpAuthStore authentication working with Trac 0.12.1 and Apache under WSGI. The main difficulty was that the file identified by the authentication_url directive had to exist and be successfully fetched. And fetching static files under WSGI (but also under mod_python) can be difficult to configure.\r\n\r\nSo for example_ it is possible to put a file called 'authFile' in a project's htdocs directory_ but then one has to know that the trac.ini directive would need to be set to:\r\n{{{\r\nauthentication_url = https://server.domain.com/trac/chrome/site/authFile\r\n}}}\r\nand the Apache <Location> directive would need to be configured as:\r\n{{{\r\n<Location /trac/chrome/site/authFile>\r\n}}}\r\nThis is not intuitive. Also_ the current requirement for being able to successfully fetch 'authFile' is not really necessary_ since it does not guarantee true authentication. That is_ if the <Location> directive is incorrectly configured_ it will be possible to 'successfully' authenticate with an invalid password_ as long as authentication_url points to an existing file.\r\n\r\nAnd it is somewhat inconvenient that authentication_url values must be absolute URLs.\r\n\r\nSo in the attached patch to http.py_ I test for a 404 error code_ and allow this to signal a successful authentication attempt_ which it will be as long as the <Location> directive is correctly set. This then allows one to more closely mimic the Trac's native login support_ where the server-relative URL is '/login'. So_ in combination with allowing server-relative URLs (as well as true relative URLs_ just to be consistent with the [header_logo]'s 'src' directive)_ one can now simply set authentication_url to '/authFile' and similarly set the <Location> directive to '/authFile'.\r\n\r\nIn the case of supporting multiple Trac projects_ these could become:\r\n{{{\r\nauthentication_utl = /project1/authFile\r\n}}}\r\nand\r\n{{{\r\n<LocationMatch "^/[^/]+/authFile$">\r\n}}}\r\nOne can of course use the Apache 'Alias' directive_ or use the '!SetHandler' directive to reset the Apache content handler to 'None'_ but this seems needlessly complicated.\r\n\r\nIdeally_ one would have a handler for the resource identified by the authentication_url directive_ but I don't know how to do that; and the only drawback to this approach_ I believe_ is that there will be HTTPNotFound warnings in the log files if the user points to a non-existent file.\r\n\r\nLet me know what you think.\r\n\r\nDennis,enhancement,closed,normal,AccountManagerPlugin,normal,fixed,auth HTTP,,0.12