[Zope-PAS] Domainauth

[Zachery Bir]

On Jun 22, 2006, at 7:43 AM, Zachery Bir wrote:

> On Jun 22, 2006, at 3:25 AM, Janko Hauser wrote:
>
>> Hello, I'm trying to setup a domain based authentication. The  
>> situation is, that there is already a cookie-based authentication.  
>> Additionally we want to enable a direct login for some specific  
>> domains. Is this at all possible? I added a Domain Auth Plugin and  
>> activated it as the authentication plugin. Then I changed the  
>> order for this interface, so that "Domain Auth" is on top. But a  
>> request from such a domain get's an unauthorized and is redirected  
>> to the normal login page.
>>
>> Is there something more needed? I tried with the exact IP and with  
>> an endswith match for the domain name.
>>
>> What do I miss?
>
> (It's been a long time since the DomainAuthHelper was created,  
> forgive me if I'm slow)
>
> Are you using mod_rewrite by any chance? You may need to turn on X- 
> Forwarded-For (I forget the exact header), since in the default  
> case, REMOTE_HOST is usually the Apache instance in such a setup.

Woops. Like I said, too long since I played in it. It runs  
request.getClientAddr(), which does take HTTP_X_FORWARDED_FOR, but  
only if the default REMOTE_ADDR is in an attribute called  
`trusted_proxies`. From lib/python/ZPublisher/HTTPRequest.py (in some  
2.7 branch):

   # The trusted_proxies configuration setting contains a sequence
   # of front-end proxies that are trusted to supply an accurate
   # X_FORWARDED_FOR header. If REMOTE_ADDR is one of the values in  
this list
   # and it has set an X_FORWARDED_FOR header, ZPublisher copies  
REMOTE_ADDR
   # into X_FORWARDED_BY, and the last element of the X_FORWARDED_FOR  
list
   # into REMOTE_ADDR. X_FORWARDED_FOR is left unchanged.
   # The ZConfig machinery may sets this attribute on initialization
   # if any trusted-proxies are defined in the configuration file.

   trusted_proxies = []

(again, this is all if you're using mod_rewrite and VirtualHostMonster)

Zac