Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WsgiDAVApp does not allow upstream authentication #11

Closed
BrianSipos opened this issue May 14, 2014 · 5 comments
Closed

WsgiDAVApp does not allow upstream authentication #11

BrianSipos opened this issue May 14, 2014 · 5 comments
Labels
enhancement

Comments

@BrianSipos
Copy link

This is not too big of a deal for me, but I am using WsgiDAVAPP behind Apache HTTP authentication / authorization layer. Currently, there is no way to interrupt the WsgiDAVApp stack to avoid or replace use of HTTPAuthenticator object. This makes it impossible to substitute value for environ['http_authenticator.username'] as HTTPAuthenticator sets it to the empty string if not used.

It would be convenient to have a way to control use of HTTPAuthenticator similar to how the config option "dir_browser" controls use of WsgiDavDirBrowser.
@BrianSipos
Copy link
Author

Alternatively, the HTTPAuthenticator could do something similar to

environ['http_authenticator.username'] = environ.get('REMOTE_USER', None)

and then change behavior based on whether the REMOTE_USER was provided or not.

@mar10
Copy link
Owner

mar10 commented May 14, 2014

It would be convenient to have a way to control use of HTTPAuthenticator similar to how the config option "dir_browser" controls use of WsgiDavDirBrowser.

Indeed, and maybe one option could be 'enabled = False'? If you like to propose an implemetation or even a Pull request that would be great. Otherwise I will keep it on the Backlog...
Thanks!

@BrianSipos
Copy link
Author

Without changing the interface, a workaround is to copy the upstream username if the HTTPAuthenticator is set to not send any auth response and username is already present. This would require that someone knows the behavior (from config docs) to use it.

Here is a minimal diff:

--- ./wsgidav/http_authenticator.py.orig    2014-01-01 09:14:06.000000000 -0500
+++ ./wsgidav/http_authenticator.py 2014-05-14 16:09:36.953074154 -0400
@@ -155,6 +155,11 @@
         _logger.debug("realm '%s'" % realmname)
         # _logger.debug("%s" % environ)

+        if "REMOTE_USER" in environ and (not self._acceptdigest and not self._acceptbasic):
+            environ["http_authenticator.realm"] = realmname
+            environ["http_authenticator.username"] = environ["REMOTE_USER"]
+            return self._application(environ, start_response)
+
         force_allow = False
         if HOTFIX_WIN_AcceptAnonymousOptions and environ["REQUEST_METHOD"] == "OPTIONS":
             _logger.warning("No authorization required for OPTIONS method")

@mar10
Copy link
Owner

mar10 commented Sep 14, 2014

I would think this is solved with #3 (configurable WSGI stack)

@mar10 mar10 closed this as completed Sep 14, 2014
@Mageti Mageti mentioned this issue Apr 4, 2016
Closed
@mar10
Copy link
Owner

mar10 commented Apr 8, 2016

I started a branch for this, see #28

@mar10 mar10 mentioned this issue Jun 11, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mar10 @BrianSipos