-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21 Nov 2006, at 22:52, cristopher pierson ewing wrote:
Pubcookie sets up a situation using an apache module where requests to protected URLs get forwarded to an auth server where username and password are checked, and a cookie is set containing the username. There is an additional apache mod called mod_fba (fake basic authentication) which then takes the information returned by the pubcookie server and packages it as if it were a basic authentication, setting the login to the username returned by pubcookie.
I don't know how mod_fba works, but you seem to imply that for Zope, running behind Apache, the result looks just like standard Basic auth. Since this is already supported, why do you think you need your own plugin for extracting the credentials?
I've started messing with this all by using the PASPlugins plugin called apachepas as a base. It seemed a good place to start as the authentication piece is handled by apache.
Apachepas defines two plugins, an ExtractionPlugin and an AuthPlugin. The extraction plugin as I've rewritten it contains the following method:
def extractCredentials(self,request): """ extract credentials """ user_id = request.getHeader('REMOTE_USER', None) if not user_id: return None return {'user_id': user_id}
If mod_fba sets standard Basic auth headers you will not need this, matter of fact this code will never yield any results since the REMOTE_USER header has nothing to do with Basic auth, and won't be there at all.
The AuthPlugin as I've rewritten it contains the following method:
def authenticateCredentials(self, credentials): """See IAuthenticationPlugin. """ user_id = credentials.get('login', None) if user_id is None: return None return user_id, user_id
Now, here's my first question. Astute observers may notice that the name for the login name in the credentials used by authenticateCredentials is different than the name set for the login in extractCredentials. This is because when I peeked at the credentials passed in to authenticateCredentials, it appears to be using a different set of credentials than I set. I'm thinking I must be missing a step in there somewhere, but I don't know what it is. Is there some method being called somewhere that takes the {'user_id': user_id} tuple returned by extractCredentials and repackages it into a credentials tuple that looks like this:
{'extractor': 'credentials_basic_auth', 'login': 'myname', 'password': 'password', remote_host': '', 'remote_address': 'some.address.com'}?
As the mapping tells you, the plugin responsible for getting these credentials is "credentials_basic_auth", which is most likely a HTTPBasicAuthHelper plugin, and you will see it right in your PluggableAuthService object.
Or, is it that my extractCredentials plugin is not being used, despite being the first listed on the 'active' list for extraction plugins?
If your Apache in front sets real basic auth headers, as it seems to be doing, your own plugin will never be successful, it looks for the wrong things. As stated above, you do not need it.
Second question: if it is possible that the credentials returned might look different depending on which extraction plugin is used, is there a good way for me to code the authenticateCredentials plugin so that it can get the right element as user_id and return it? Where do the stock plugins for PAS live on disk? I'd love to look them over.
Look at the PluggableAuthService products and find the interfaces folder in there. Those files describe the interfaces used.
Third question: How do plugins get selected for PAS tasks like extraction? Is there a way to force the selection of my tool? or would that break everything?
Your tool is being selected, it just does the wrong thing. Get rid of your extractor. jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFY4EWRAx5nvEhZLIRAmF9AJ9ONXjbrLun/aK0RkDUK71qC+iZLwCfXFCr puHJeSTgQLppO9s+qDKqlG8= =eO20 -----END PGP SIGNATURE-----