On Tue, 21 Nov 2006, Jens Vagelpohl wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 21 Nov 2006, at 22:52, cristopher pierson ewing wrote:
Pubcookie sets up a situation using an apache module where requests to protected URLs get forwarded to an auth server where username and password are checked, and a cookie is set containing the username. There is an additional apache mod called mod_fba (fake basic authentication) which then takes the information returned by the pubcookie server and packages it as if it were a basic authentication, setting the login to the username returned by pubcookie.
I don't know how mod_fba works, but you seem to imply that for Zope, running behind Apache, the result looks just like standard Basic auth. Since this is already supported, why do you think you need your own plugin for extracting the credentials? The only reason is that I need to skip checking for a password, but that appears to be handled by the authenticateCredentials method. I'll kill off my extraction method since it does nothing
I've started messing with this all by using the PASPlugins plugin called apachepas as a base. It seemed a good place to start as the authentication piece is handled by apache.
Apachepas defines two plugins, an ExtractionPlugin and an AuthPlugin. The extraction plugin as I've rewritten it contains the following method:
def extractCredentials(self,request): """ extract credentials """ user_id = request.getHeader('REMOTE_USER', None) if not user_id: return None return {'user_id': user_id}
If mod_fba sets standard Basic auth headers you will not need this, matter of fact this code will never yield any results since the REMOTE_USER header has nothing to do with Basic auth, and won't be there at all.
Yep, you are right here. Sorry about that. I'm working from some older code that used a product called 'RemoteUserAuth' to insert the 'REMOTE_USER' header into the environment using an overwritten get_environment() method from the HTTPRequest object (I think). All of that stuff can be found at http://www.washington.edu/webinfo/cases/zope where they outline a method for using pubcookie with zope. Their method seems to be out-of-date, though. It doesn't work with PAS at all.
The AuthPlugin as I've rewritten it contains the following method:
def authenticateCredentials(self, credentials): """See IAuthenticationPlugin. """ user_id = credentials.get('login', None) if user_id is None: return None return user_id, user_id
Now, here's my first question. Astute observers may notice that the name for the login name in the credentials used by authenticateCredentials is different than the name set for the login in extractCredentials. This is because when I peeked at the credentials passed in to authenticateCredentials, it appears to be using a different set of credentials than I set. I'm thinking I must be missing a step in there somewhere, but I don't know what it is. Is there some method being called somewhere that takes the {'user_id': user_id} tuple returned by extractCredentials and repackages it into a credentials tuple that looks like this:
{'extractor': 'credentials_basic_auth', 'login': 'myname', 'password': 'password', remote_host': '', 'remote_address': 'some.address.com'}?
As the mapping tells you, the plugin responsible for getting these credentials is "credentials_basic_auth", which is most likely a HTTPBasicAuthHelper plugin, and you will see it right in your PluggableAuthService object.
Again, you are right. The only question I have remaining is how the 'extractor' key in the credentials gets set. I've looked up the interface for this method, and looked up the method being used in the HTTPBasicAuthHelper.py file, and the tuple that method returns, called 'cred' doesn't contain such a key. I'm just curious here, trying to get a handle on the logical flow of the authentication process. My PAS plugin works well with only an authenticateCredentials method.
Third question: How do plugins get selected for PAS tasks like extraction? Is there a way to force the selection of my tool? or would that break everything?
Your tool is being selected, it just does the wrong thing. Get rid of your extractor. Absolutely right. Thanks for the help, jens! Sorry to trouble.
jens
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin)
iD8DBQFFY4EWRAx5nvEhZLIRAmF9AJ9ONXjbrLun/aK0RkDUK71qC+iZLwCfXFCr puHJeSTgQLppO9s+qDKqlG8= =eO20 -----END PGP SIGNATURE----- _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists -http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )