id	summary	reporter	owner	description	type	status	priority	component	severity	resolution	keywords	cc	release
9618	[patch] HttpAuthStore authentication enhancement	Dennis McRitchie <dmcr@princeton.edu>	hasienda	I have been working on getting !HttpAuthStore authentication working with Trac 0.12.1 and Apache under WSGI. The main difficulty was that the file identified by the authentication_url directive had to exist and be successfully fetched. And fetching static files under WSGI (but also under mod_python) can be difficult to configure.\r\n\r\nSo for example, it is possible to put a file called 'authFile' in a project's htdocs directory, but then one has to know that the trac.ini directive would need to be set to:\r\n{{{\r\nauthentication_url = https://server.domain.com/trac/chrome/site/authFile\r\n}}}\r\nand the Apache <Location> directive would need to be configured as:\r\n{{{\r\n<Location /trac/chrome/site/authFile>\r\n}}}\r\nThis is not intuitive. Also, the current requirement for being able to successfully fetch 'authFile' is not really necessary, since it does not guarantee true authentication. That is, if the <Location> directive is incorrectly configured, it will be possible to 'successfully' authenticate with an invalid password, as long as authentication_url points to an existing file.\r\n\r\nAnd it is somewhat inconvenient that authentication_url values must be absolute URLs.\r\n\r\nSo in the attached patch to http.py, I test for a 404 error code, and allow this to signal a successful authentication attempt, which it will be as long as the <Location> directive is correctly set. This then allows one to more closely mimic the Trac's native login support, where the server-relative URL is '/login'. So, in combination with allowing server-relative URLs (as well as true relative URLs, just to be consistent with the [header_logo]'s 'src' directive), one can now simply set authentication_url to '/authFile' and similarly set the <Location> directive to '/authFile'.\r\n\r\nIn the case of supporting multiple Trac projects, these could become:\r\n{{{\r\nauthentication_utl = /project1/authFile\r\n}}}\r\nand\r\n{{{\r\n<LocationMatch "^/[^/]+/authFile$">\r\n}}}\r\nOne can of course use the Apache 'Alias' directive, or use the '!SetHandler' directive to reset the Apache content handler to 'None', but this seems needlessly complicated.\r\n\r\nIdeally, one would have a handler for the resource identified by the authentication_url directive, but I don't know how to do that; and the only drawback to this approach, I believe, is that there will be HTTPNotFound warnings in the log files if the user points to a non-existent file.\r\n\r\nLet me know what you think.\r\n\r\nDennis	enhancement	closed	normal	AccountManagerPlugin	normal	fixed	auth HTTP		0.12