#1169 closed defect (wontfix)
HTTPAuth doesn't validate against AccountManager htpasswd file — at Version 12
Reported by: | Owned by: | Noah Kantrowitz | |
---|---|---|---|
Priority: | normal | Component: | HttpAuthPlugin |
Severity: | normal | Keywords: | |
Cc: | Trac Release: | 0.10 |
Description (last modified by )
HTTPAuth dialog comes up, but username & passwords are rejected. Doesn't look like the Accountmanager plugin's password file is being consulted, as per your page's declaration that AccountManagerplugin is used to check passwords.
Using in conjunction w/XMLRPC plugin so we can use Mylar w/Eclipse & Trac.
Standard form-based login still works. Pop-up dialog appears for /xmlrpc & /xmlrpc/login targets, but username & password doesn't work.
- Does crypt scheme in passwd file make two-bits of a difference? [using md5]
- What's with the "Control Panel" name in the login dialog?
- Is it a misconfiguration on my part?
I'm using trac 10.3, on Debian. I'm using Py-24
Thanks for taking a look.
Change History (12)
comment:1 Changed 17 years ago by
comment:2 Changed 17 years ago by
More details yet...
Snooping source, I see log entries... so I check my log: 2007-02-02 22:20:37,117 Trac[init] INFO: HTTPAuthFilter: No/bad authentication data given, returing 403
comment:3 Changed 17 years ago by
get_header('Authorization') always seems to return None... has api changed?
comment:4 Changed 17 years ago by
I see this too with a similar setup; 0.10.3, Python 2.4, FreeBSD.
/xmlrpc and /login/xmlrpc targets work but reject all users and passwords.
I also noticed that get_header('Authorization') is returning none.
I added a debug line to print out req._inheaders:
2007-03-29 17:54:36,852 Trac[filter] DEBUG: HTTPAuthFilter: req._inheaders = [('cookie', 'trac_form_token=f8938fa4194db5ac822c5260; trac_auth=27841af7dce3a81d8a685e62b3f467a0'), ('keep-alive', '300'), ('accept-charset', 'ISO-8859-1,utf-8;q=0.7,*;q=0.7'), ('user-agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3'), ('connection', 'keep-alive'), ('host', 'www.redacted.com'), ('cache-control', 'max-age=0, max-age=0'), ('accept', 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5'), ('accept-language', 'en-us,en;q=0.5'), ('accept-encoding', 'gzip,deflate')]
I then double-checked that I was sending the authorization header using 'Live HTTP Headers' for Firefox.
It seems that something (The AccountManager plugin?) is stripping this header.
comment:5 Changed 17 years ago by
Thought maybe I was crazy so I tcpdumped this from the server; the Authorization header is definitely received by Apache. Somewhere along the line it must be stripped out but I'm having a devil of a time trying to find where.
comment:6 Changed 17 years ago by
I had the same problem. In my case the problem was that the header "Authorization" doesn't arrive to the cgi (or fcgi). I could get it in the .htaccess file, and I could set rules with this header in this file, but in the trac.cgi I could not see it.
I have my hosting with Dreamhost, maybe it's a server configuration problem.
My solution
First step
I set the next rules in the .htaccess file:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{HTTP:Authorization} ^Basic.* RewriteRule ^(.*)$ index.cgi/$1?INTERNAL_AUTH=%{HTTP:Authorization} [L] </IfModule> <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.cgi/$1 [L] </IfModule>
The second one is the normal rule for Trac. The first one is an special adaption of the second one: when the header "Athorization" is present in a request (and starts with "Basic") I rewrite the url to pass an argument to the cgi. I pass as argument the value of the header Athorization. So, the next step is to get this argument in the cgi.
Second step
In the file trac.cgi (or trac.fcgi) I added the next code in the beginning:
import os, sys from cgi import escape valor = os.environ["QUERY_STRING"] if valor: clave, valor = valor.split('=', 1) if clave == "INTERNAL_AUTH": os.environ["HTTP_AUTHORIZATION"] = valor
QUERY_STRING
is an environmen variable with all the variables passed in the URL. We split this value to get the value of INTERNAL_AUTH variable, and only if this variable exists we set and environment variable: HTTP_AUTHORIZATION. This variable will be used then by the HttpAuthPlugin.
comment:7 Changed 17 years ago by
That solution overwrite query strings.I changed following.
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{HTTP:Authorization} ^Basic.* RewriteRule ^(.*)$ index.cgi/$1?INTERNAL_AUTH=%{HTTP:Authorization}&%{QUERY_STRING} [L] </IfModule>
comment:8 Changed 17 years ago by
If you're using mod_wsgi, auth info is stripped before passing to the app. Turn WSGIPassAuthorization On for it to work. See http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives
comment:9 follow-up: 10 Changed 17 years ago by
I had a lot of trouble with the solution as stated above, eventually I came up with a slightly modified version which suited my environment. Here are the relavent sections of the apache (2.2) config (one still needs to modify the trac.fcgi as above):
<IfModule alias_module> AliasMatch ^/trac/[^/]+/chrome/common/(.*) "/usr/local/share/trac/htdocs/$1" AliasMatch ^/trac/([^/]+)/chrome/site/(.*) "/usr/local/www/trac/$1/htdocs/$2" ScriptAlias /trac /usr/local/www/apache22/cgi-bin/trac.fcgi </IfModule> <Location /trac> SetEnv TRAC_ENV_PARENT_DIR "/usr/local/www/trac" RewriteEngine on RewriteCond %{HTTP:Authorization} ^Basic.* RewriteCond %{QUERY_STRING} !INTERNAL_AUTH=.* RewriteRule ^.*trac\.fcgi/(.*xmlrpc)$ $1?INTERNAL_AUTH=%{HTTP:Authorization}&%{QUERY_STRING} [L] </Location>
I also came across the following we should have worked but did not:
# http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html <IfModule mod_fastcgi.c> AddHandler fastcgi-script .fcgi FastCgiConfig -pass-header Authorization </IfModule>
LoadModule fastcgi_module libexec/apache22/mod_fastcgi.so
comment:10 Changed 17 years ago by
Replying to caleb.lyness:
I had a lot of trouble with the solution as stated above, eventually I came up with a slightly modified version which suited my environment. Here are the relavent sections of the apache (2.2) config (one still needs to modify the trac.fcgi as above):
Holy formatting, Batman! Next time please hit preview.
comment:11 Changed 16 years ago by
Resolution: | → wontfix |
---|---|
Status: | new → closed |
This an Apache issue clearly. I can't do anything about it.
comment:12 Changed 16 years ago by
Description: | modified (diff) |
---|
Please note that Mylyn should support form-based authentication via the AccountManagerPlugin in the latest releases. Please file a bug against Mylyn if it does not work for you:
my mistake: /xmlrpc & /login/xmlrpc targets work. They both result in a login dialog. But, again, username & password aren't accepted.