Today’s tests the client did not send ‘bark bark’. That will be the definitive test (tomorrow) that I spoke of.
Sent from my iPhone > On Jun 14, 2021, at 8:48 PM, Graham Dumpleton <[email protected]> > wrote: > > If mod_perl has a working solution it is possibly because they are rolling > their own authentication handler from scratch, where as mod_wsgi hooks into > the authentication provider hooks of Apache, which has more rigid rules > around how the interfacing works. > > Anyway, I was wrong that you weren't providing a password, but you are > providing a fixed passed: > > ustr = f'{uname}:barkbark:{realm}' > > Is the client definitely sending a password of "barkbark"? > > If it is, then it possibly should work. > > Graham > >> On 15 Jun 2021, at 12:21 pm, Neil Verkland <[email protected]> wrote: >> >> It’s an interesting possibility. I’ll mess with the code (with that in mind) >> and see if I make any progress. If I do find that the has has to match on >> that Apache is putting together then I’ll have to switch to mod-Perl where I >> already have a working solution. >> >> I was hoping to move to mod-wsgi so all layers would be Python based (all >> the cgi’s are Python based). >> >> Sent from my iPhone >> >>>> On Jun 14, 2021, at 6:52 PM, Graham Dumpleton <[email protected]> >>>> wrote: >>>> >>> I don't remember exactly how digest auth works, but it worries me you >>> generating a hash as return value which doesn't have a password as input. I >>> suspect that Apache or something is going to compare that hash with one >>> generated from what the browser submitted and they need to match. Can't see >>> how they would match with what you are doing. >>> >>> Graham >>> >>>> On 15 Jun 2021, at 11:38 am, Neil Verkland <[email protected]> wrote: >>>> >>>> >>>> I'm attempting to use mod_wsgi for Authen (Digest) only. Once Authen is >>>> complete, all other scripts in the Apache directories will be served as >>>> CGI's or static files (or mod_proxy will pass the request on). >>>> >>>> At present (with the configs below) the WSGI (Digest) authentication >>>> script is being executed and is returning a hex-digest of an md5 sum of >>>> 'user:pass:realm' (we can see this in the logs and code is provided >>>> below); however, apache is presenting the user with the login form each >>>> and every time authentication is successfully completed. >>>> >>>> Some things to note: The password (in this case) isn't a password at all. >>>> It is an encrypted cookie that is found in the HTTP_COOKIE variable. The >>>> process of validating that cookie is to send it over TCP to a propratary >>>> java-validation process. >>>> >>>> Can anyone see (in the configs and code below) where I have missed telling >>>> Apache that the Authentication was successful? >>>> >>>> CONFIG httpd.conf: >>>> <LocationMatch "^/private/"> >>>> Options Indexes FollowSymLinks ExecCGI >>>> AuthType Digest >>>> #REALM PrivateArea >>>> AuthName PrivateArea >>>> AuthDigestProvider wsgi >>>> WSGIAuthUserScript /sites/www-python/lib/auth/plugin.py >>>> Require valid-user >>>> RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS] >>>> RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e" >>>> </LocationMatch> >>>> >>>> CODE plugin.py: >>>> def get_realm_hash(environ, user, realm): >>>> C = http.cookies.SimpleCookie() >>>> C.load(environ.get('HTTP_COOKIE','')) >>>> cval = '' >>>> if not 'rocacheauth' in C: >>>> writelog("cookie not present") >>>> return None >>>> if 'rocacheauth' in C: >>>> cval = C['rocacheauth'].value >>>> port = 2500 >>>> writelog(f"cookie value: {cval}") >>>> userdata = findSession(cval) # look on disk for saved session >>>> if userdata: return(digest(userdata,realm)) >>>> writelog(f"session not found") >>>> userdata = verifyCookie(cval,port=port) >>>> if userdata: >>>> writeSession(cval,userdata) #save to disk >>>> return(digest(userdata,realm)) >>>> writelog(f"session not validated") >>>> return None >>>> >>>> def digest(userdata,realm): >>>> hasher = hashlib.md5() >>>> uname = userdata[5] >>>> ustr = f'{uname}:barkbark:{realm}' >>>> writelog(f"validated user:{uname}") >>>> hasher.update(ustr.encode('UTF-8')) >>>> dgest = hasher.hexdigest() >>>> writelog(f"digest :{dgest}") >>>> return(dgest) >>>> >>>> LOG1 OUTPUT: >>>> # (user does not have a saved session on disk) >>>> # login form is presented >>>> 2021-06-14 17:28:19,326 - authn_plugin - INFO - validated user:nv596r >>>> 2021-06-14 17:28:19,327 - authn_plugin - INFO - digest >>>> :7159b4ae7e3c2bd736dcf7c9c03d8e64 >>>> # login form is presented AGAIN >>>> >>>> LOG2 OUTPUT: >>>> # (user does have a saved session on disk): >>>> # login form is presented >>>> 2021-06-14 17:47:54,318 - authn_plugin - INFO - Session Located nv596r >>>> 2021-06-14 17:47:54,318 - authn_plugin - INFO - validated user:nv596r >>>> 2021-06-14 17:47:54,319 - authn_plugin - INFO - digest >>>> :9633784b6851713b93506f3201fd53b9 >>>> # login form is presented AGAIN >>>> >>>> -- >>>> You received this message because you are subscribed to the Google Groups >>>> "modwsgi" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/modwsgi/ba89bbc5-99cb-4ca2-80d4-eb13d37f8fffn%40googlegroups.com. >>> >>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "modwsgi" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/modwsgi/36iEHNSG-XM/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/modwsgi/4AB4D13B-E14B-4028-AB97-40645BABF624%40gmail.com. >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/modwsgi/CAF91A5A-2531-42AF-A993-200D279EBAA4%40gmail.com. > > -- > You received this message because you are subscribed to a topic in the Google > Groups "modwsgi" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/modwsgi/36iEHNSG-XM/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/modwsgi/EC84EECC-9A7C-46E7-8C21-FB8E5509CCDF%40gmail.com. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/F7B661CA-337B-4378-BEC3-666CC3B87C49%40gmail.com.
