It’s an interesting possibility. I’ll mess with the code (with that in mind) and see if I make any progress. If I do find that the has has to match on that Apache is putting together then I’ll have to switch to mod-Perl where I already have a working solution.
I was hoping to move to mod-wsgi so all layers would be Python based (all the cgi’s are Python based). Sent from my iPhone > On Jun 14, 2021, at 6:52 PM, Graham Dumpleton <[email protected]> > wrote: > > I don't remember exactly how digest auth works, but it worries me you > generating a hash as return value which doesn't have a password as input. I > suspect that Apache or something is going to compare that hash with one > generated from what the browser submitted and they need to match. Can't see > how they would match with what you are doing. > > Graham > >> On 15 Jun 2021, at 11:38 am, Neil Verkland <[email protected]> wrote: >> >> >> I'm attempting to use mod_wsgi for Authen (Digest) only. Once Authen is >> complete, all other scripts in the Apache directories will be served as >> CGI's or static files (or mod_proxy will pass the request on). >> >> At present (with the configs below) the WSGI (Digest) authentication script >> is being executed and is returning a hex-digest of an md5 sum of >> 'user:pass:realm' (we can see this in the logs and code is provided below); >> however, apache is presenting the user with the login form each and every >> time authentication is successfully completed. >> >> Some things to note: The password (in this case) isn't a password at all. It >> is an encrypted cookie that is found in the HTTP_COOKIE variable. The >> process of validating that cookie is to send it over TCP to a propratary >> java-validation process. >> >> Can anyone see (in the configs and code below) where I have missed telling >> Apache that the Authentication was successful? >> >> CONFIG httpd.conf: >> <LocationMatch "^/private/"> >> Options Indexes FollowSymLinks ExecCGI >> AuthType Digest >> #REALM PrivateArea >> AuthName PrivateArea >> AuthDigestProvider wsgi >> WSGIAuthUserScript /sites/www-python/lib/auth/plugin.py >> Require valid-user >> RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS] >> RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e" >> </LocationMatch> >> >> CODE plugin.py: >> def get_realm_hash(environ, user, realm): >> C = http.cookies.SimpleCookie() >> C.load(environ.get('HTTP_COOKIE','')) >> cval = '' >> if not 'rocacheauth' in C: >> writelog("cookie not present") >> return None >> if 'rocacheauth' in C: >> cval = C['rocacheauth'].value >> port = 2500 >> writelog(f"cookie value: {cval}") >> userdata = findSession(cval) # look on disk for saved session >> if userdata: return(digest(userdata,realm)) >> writelog(f"session not found") >> userdata = verifyCookie(cval,port=port) >> if userdata: >> writeSession(cval,userdata) #save to disk >> return(digest(userdata,realm)) >> writelog(f"session not validated") >> return None >> >> def digest(userdata,realm): >> hasher = hashlib.md5() >> uname = userdata[5] >> ustr = f'{uname}:barkbark:{realm}' >> writelog(f"validated user:{uname}") >> hasher.update(ustr.encode('UTF-8')) >> dgest = hasher.hexdigest() >> writelog(f"digest :{dgest}") >> return(dgest) >> >> LOG1 OUTPUT: >> # (user does not have a saved session on disk) >> # login form is presented >> 2021-06-14 17:28:19,326 - authn_plugin - INFO - validated user:nv596r >> 2021-06-14 17:28:19,327 - authn_plugin - INFO - digest >> :7159b4ae7e3c2bd736dcf7c9c03d8e64 >> # login form is presented AGAIN >> >> LOG2 OUTPUT: >> # (user does have a saved session on disk): >> # login form is presented >> 2021-06-14 17:47:54,318 - authn_plugin - INFO - Session Located nv596r >> 2021-06-14 17:47:54,318 - authn_plugin - INFO - validated user:nv596r >> 2021-06-14 17:47:54,319 - authn_plugin - INFO - digest >> :9633784b6851713b93506f3201fd53b9 >> # login form is presented AGAIN >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/modwsgi/ba89bbc5-99cb-4ca2-80d4-eb13d37f8fffn%40googlegroups.com. > > -- > You received this message because you are subscribed to a topic in the Google > Groups "modwsgi" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/modwsgi/36iEHNSG-XM/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/modwsgi/4AB4D13B-E14B-4028-AB97-40645BABF624%40gmail.com. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/CAF91A5A-2531-42AF-A993-200D279EBAA4%40gmail.com.
