httpauth login throws traceback

[tekknokrat]

Current trunk throws a traceback like attached if a wrong password is supplied.

[tekknokrat]

Btw. everythings fine with a correct password given. Configuration snippets of my setup...

apache2 config:

  <Location /trac>                                                              
     SetHandler mod_python                                                      
     PythonInterpreter main_interpreter                                         
     PythonHandler trac.web.modpython_frontend                                  
     # PythonOption TracEnvParentDir /var/trac                                  
     PythonOption TracUriRoot /trac                                             
     PythonOption TracEnv /var/trac/test                                 
     PythonOption TracLocale en_US.UTF8                                         
     PythonOption PYTHON_EGG_CACHE /var/trac/tmp                                
     Order allow,deny                                                           
     Allow from all                                                             
  </Location>    

trac.ini:

[account-manager]                                                               
authentication_url = /http_auth                                                 
password_store = HttpAuthStore   
...
[components]                                                                    
acct_mgr.admin.accountmanageradminpages = enabled                               
acct_mgr.api.accountmanager = enabled                                           
acct_mgr.http.HttpAuthStore = enabled                                           
acct_mgr.web_ui.loginmodule = enabled                                           
trac.web.auth.loginmodule = disabled                                            
tracfullblog.admin.fullblogadminpanel = enabled                                 
tracfullblog.core.fullblogcore = enabled                                        
tracfullblog.db.fullblogsetup = enabled                                         
tracfullblog.macros.bloglistmacro = enabled                                     
tracfullblog.web_ui.fullblogmodule = enabled                                    
tractab.tractab.tractab = enabled                                               
tractags.api.tagsystem = enabled                                                
tractags.macros.listtaggedmacro = enabled                                       
tractags.macros.tagcloudmacro = enabled                                         
tractags.model.tagmodelprovider = enabled                                       
tractags.ticket.tickettagprovider = enabled                                     
tractags.web_ui.tagrequesthandler = enabled                                     
tractags.web_ui.tagtemplateprovider = enabled                                   
tractags.wiki.tagwikisyntaxprovider = enabled                                   
tractags.wiki.wikitaginterface = enabled                                        
tractags.wiki.wikitagprovider = enabled                                         
tracwysiwyg.templateprovider = enabled                                          
tracwysiwyg.wysiwygwikifilter = enabled                

[Steffen Hoffmann]

What I see from your traceback is an recursion in urllib2.

Maybe there is something wrong in the way we call both, simple and digest auth handlers at once. The HTTP401 on digest authentication seems to recall the previous request to basic auth, so it could help to call them in separate try..catch parts. Although I'm not sure how such a grave bug should have survived more than 6 years since the initial implementation in r1534.

Any more insights how your (web server) configuration could be different from many others?

[Steffen Hoffmann]

split basic and digest authentication attempts to prevent recusion from second to previous method

[Steffen Hoffmann]

Try this patch​ please, even if it looks like a clumsy solution and probably could be coded more elegant.

[Steffen Hoffmann]

Ping.

Not often, that you get a patch within a day after the report, but no feedback afterwards, even not after half a year by now. That's really a disappointment to me.

Anyone remaining interested in fixing this issue? It's unreasonable to assume, that I'll push code I've provided for good, but can't verify on my own. Even if the issue meanwhile has been resolved by other means, it would be fair at minimum to tell it to me.

Drop a comment, please, or I'll certainly drop the issue.

[Jun Omae]

According to ​http://bugs.python.org/issue8797, it seems the Python issue. Also, ​Bitten has the same issue and has fixed in ​bitten:changeset:974. See ​bitten:ticket:658.

But I couldn't reproduce it....

[Steffen Hoffmann]

Wonderful, thanks Jun.

That finally casts some light up-on the scenery. So this is a Python bug. Strange encounter, but you gave me valuable pointers, that I'll use to verify my interim solution.

[Steffen Hoffmann]

(In [12408]) AccountManagerPlugin: Use own HTTPBasicAuthHandler under Python 2.6 to avoid recursion in urllib2 (​http://bugs.python.org/issue8797), refs #10134.

Special thanks to Jun Omae for pointing at hodgestar's changes to fix this issue for Bitten (​bitten:r974).

[Steffen Hoffmann]

Test feedback would be much appreciated.

[Steffen Hoffmann]

(In [12482]) AccountManagerPlugin: Publish maintenance release 0.4.1, closes #5964, #8545, #10134, #10625, #10700 and #10701.

This is an update for current stable acct_mgr-0.4 with a number of fixes for issues resolved within the last weeks, i.e.:

• a final fix for Single-Sign-On functionality (refs #9676),
• a long-standing HttpAuth login issue and
• one for acct_mgr.LoginModule, that is relevant if used with web-servers, that evaluate the REMOTE_USER environment variable.

Changeset [12468] is included, that may require a Trac db fix-up. Run python ./contrib/fix-session_attribute-failed_logins.py <env> once on any Trac environment, that had account locking enabled with time constraints before.