[Zope] Re: Z2.log logs user as Anonymous

Paul Winkler pw_lists at slinkp.com
Thu Oct 16 16:37:05 EDT 2003


You know, I think I've been wrong all along.
Reading the below reminded me that I was thinking of the current user 
object in zope, not the username that's logged.  Oops.

On Thu, Oct 16, 2003 at 01:21:20PM -0700, Dennis Allison wrote:
> 
> I had the same problem which was solved by pault. i have patched 
> the version of ZServer I use to handle the logs properly.  Here's 
> Paul's "shameful fix".  It works for Zope 2.5.1 through 2.6.2b3.
> 
> Subject: Re: Z2.log user name problem
> From: Paul Tiemann <pault at center7.com>
> To: Dennis Allison <allison at sumeru.stanford.EDU>
> Cc: zope at zope.org
> 
> > I'm using out-of-the-box user authentication with 
> > CookieCrumbler.  Everything seems fine except that 
> > the identified user in the Z2.log file is wrong.
> 
> I've got a "fix" for your problem.  It wouldn't have
> been my first choice to do it the way I did, but it
> works, and it's quicker than my other options were...
> 
> (Some history)
> I had the same problem with cookie-based authentication.
> The root of the problem lies in the log() method of the 
> file ZServer/medusa/http_server.py.  That method uses the
> 'Authorization' header of the request to determine the
> name of the user.  Due to the architecture of the internal
> objects used to represent the request at this level (not
> the "REQUEST" we're usually used to using, but another
> lower-level request object) the 'Authorization' header
> is a read-only field.  I believe it's the __get_item__
> and __set_item__ methods that are custom for that request
> object, so that all attempts to "set" the Authorization
> HTTP header will just be dumped into the list of response 
> headers.  Since I could see no other way to get around the
> problem by making a change in the 'CookieCrumbler', or in my 
> case 'LDAPUserFolder' products, I decided to just fix the
> problem by monkey-patching the log() method in the 
> http_server.py file itself.  
> 
> To do that, you can do something like this:
> 
> 1) Add two lines like these to the top of http_server.py
>    for the import you'll need below to make parsing
>    the cookies easier.
> 
> # PAUL DID THIS SHAMEFUL THING
> from ZPublisher.HTTPRequest import parse_cookie
> 
> 2) Down near line 290, you have the part that determines
>    the name that will go to the Z2.log file.  Here, you 
>    see 'name' being set to 'Anonymous', then there is 
>    an 'if auth is not None:' block which determines 
>    the name from the "Authorization" header.  In my case,
>    I added an 'else:' block below the if which has this
>    dirty patch of code:
> 
> try:
>   auth_cookie_name = "my_auth" # probably '__ac'?
>   cookie = None
>   try:
>     cookies = {}
>     header_value = self.get_header("Cookie")
>     if header_value:
>       parse_cookie(header_value, cookies)
>       cookie = cookies.get(auth_cookie_name, None)
>   except:
>     name = "Anonymous"
> 
>   if cookie is not None: 
>     cookie = unquote( cookie )
>     try:
>       cookie = base64.decodestring( cookie )
>       name, password = tuple( cookie.split( ':', 1 ) )
>     except: name = "Unknown (bad auth cookie)"
> except:
>   name = "Failure!"
> 
> Note that the way I solved the problem is "brittle" because
> should you ever change your auth_cookie_name, and forget 
> to change it in http_server.py as well, you'll stop
> seeing correct values in your logs.  
> 
> One more important note:  Since you have more than one
> acl_users, you might want to put the 'Cookie' based 
> name-fetch code before the 'Authorization' header based
> stuff.  It would be possible for you to log in as admin,
> then use the cookie-based login page to authenticate as
> a normal user, in which case your browser will be sending
> the 'Authorization' header, as well as the cookie, and 
> that would cause the standard acl_users username to be 
> logged...
> 
> > I assume there is some method which needs to be called 
> > to update the username for logging purposes when the 
> > login is upgraded, but I've been unable to find it.  Or 
> > is this a problem caused by the lack of a CookieCrumbler 
> > in the root folder....
> 
> I tried to find a method like the one you're describing, and
> one alternative to my solution would have been to add that
> kind of facility to the low-level request object, and make 
> different changes to http_server.py so it would get the 
> user's name from that new variable instead of from the 
> Authorization header, but I couldn't find it, and it 
> didn't appear that CookieCrumbler was doing that either...
> 
> If there is an alternative solution that is more desirable
> than my own, I would love to hear about it...  Maybe someone
> on the list knows another way...
> 
> Good luck, I hope I've helped,
> ;) Paul
> 
> 
> 
> On Thu, 16 Oct 2003, Paul Winkler wrote:
> 
> > On Thu, Oct 16, 2003 at 07:23:24PM +0200, Jochen Knuth wrote:
> > > the problem here is the use of cookie based authentication. so the user 
> > > info is not in the http authentication header, which is where the user 
> > > in the logs come from.
> > > So you have the choice:
> > > 
> > > 1. user names in the logs -> dont use cookie base authentication
> > > 2. cookie based authentication (login with forms) - >no user names in logs
> > 
> > That may be, I don't use cookie auth much.
> > Even so, I believe that anonymously accessible objects will 
> > *always* be logged as Anonymous.
> > 
> > -- 
> > 
> > Paul Winkler
> > http://www.slinkp.com
> > Look! Up in the sky! It's PYRO BOAT LIUTENANT!
> > (random hero from isometric.spaceninja.com)
> > 
> > _______________________________________________
> > Zope maillist  -  Zope at zope.org
> > http://mail.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists - 
> >  http://mail.zope.org/mailman/listinfo/zope-announce
> >  http://mail.zope.org/mailman/listinfo/zope-dev )
> > 

-- 

Paul Winkler
http://www.slinkp.com
Look! Up in the sky! It's LECTRO HYDROXY BITCH!
(random hero from isometric.spaceninja.com)



More information about the Zope mailing list