使用 mod-python 使 HTTP 身份验证成为可选
我有一个 Web 应用程序,它根据传递的参数访问多个控制器类。对于某些控制器,我希望用户能够对自己进行身份验证(通过简单的 HTTP 身份验证),对于某些控制器,我希望能够进行公共访问。
有办法实现这一点吗?在我的 .htaccess 文件中,我现在
AddHandler mod_python .py
PythonHandler handler
PythonAuthenHandler handler
PythonDebug On
AuthType Basic
AuthName "My Realm"
AuthBasicAuthoritative Off
require valid-user
正确调用了 authenhandler,但即使我只是这样做,也会
def authenhandler(req):
return apache.OK
要求用户输入密码(尽管输入的任何密码都会被接受),
我尝试删除 Auth* 内容(以及 require 指令) )完全来自 .htaccess,对于那些我确实想要身份验证(并且没有找到)的情况,只需在正常处理程序中执行以下操作:
request.err_headers_out.add('WWW-Authenticate', 'Basic realm="My Realm")
return apache.HTTP_UNAUTHORIZED
这就是我所理解的服务器在以下情况下应该执行的操作:未收到正确的身份验证。然而,这也不起作用。
我有 PHP 背景,我知道后者是在 PHP 中完成的 - 但 PHP 有时会执行一些额外的未记录的魔法来使这些东西真正起作用。这是其中之一吗?
是否有任何方法可以根据传递的 URL 从同一处理程序选择性地请求身份验证?
I've a web application that accesses multiple controller classes based on the parameters it is passed. For some of the controllers, I want users to authenticate themselves (by simple HTTP authentication), and for some I want public access.
Is there a way to make this happen? In my .htaccess file, I now have
AddHandler mod_python .py
PythonHandler handler
PythonAuthenHandler handler
PythonDebug On
AuthType Basic
AuthName "My Realm"
AuthBasicAuthoritative Off
require valid-user
The authenhandler is called correctly, but even when I just do
def authenhandler(req):
return apache.OK
the user is asked for a password (though any password that is entered is accepted)
I tried removing the Auth* stuff (and the require directive) from the .htaccess entirely, and just did the following in the normal handler for those cases where I do want authentication (and it was not found):
request.err_headers_out.add('WWW-Authenticate', 'Basic realm="My Realm")
return apache.HTTP_UNAUTHORIZED
which is what I understand what the server should do when not receiving correct authentication. That did not work either, however.
I come from a PHP background and I know that the latter is how it's done in PHP - but PHP sometimes does extra little pieces of undocumented magic to make this stuff actually work. Is this one of those cases?
Is there any way to optionally request authentication, depending on the URL passed, from the same handler?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
有几种方法可以指定 Apache 的身份验证范围,大多数人习惯的一种方法是 gt;Directorylt;基于 - 即目录中或目录下的任何内容都会根据 htpasswd 进行身份验证。
还有 gt;Locationlt;,它将指令应用于文件系统外部的内容,例如 mod_python 注册代码。
如果您启用了 mod_status,这就是您在“虚拟”路径(如 /status)上设置身份验证的方法。
您可以使用我应该添加的 mod_python 路径执行相同的操作
- 如果您的意思是“某些用户应该使用用户名和密码进行身份验证,而其他用户应该只需要输入用户名”,则不一定清楚
或
“某些应用程序应该 100% 的时间都需要身份验证,而其他应用程序应该 100% 的时间免费可用”
我的第一个答案整理了最后一个查询。
There are a couple ways to specify authentication scope with Apache, the one most people are used to is gt;Directorylt; based - i.e. anything in or below a directory gets authenticated against htpasswd.
There's also gt;Locationlt;, which applies directives to content that live outside the filesystem such as mod_python registered code.
This is how you can set authentication on a 'virtual' path like /status, if you have mod_status enabled.
You can do the same thing with mod_python paths
I should add - it's not necessarily clear if you mean 'some users should authenticate with a username and password and other users should only have to put in a username'
or
'some applications should require authentication 100% of the time, and other applications should be freely available 100% of the time'
My first answer sorts out the last query.