quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Graham Dumpleton (JIRA)" <j...@apache.org>
Subject [jira] Created: (MODPYTHON-47) Digest Authorization header causes bad request error.
Date Thu, 21 Apr 2005 04:58:24 GMT
Digest Authorization header causes bad request error.
-----------------------------------------------------

         Key: MODPYTHON-47
         URL: http://issues.apache.org/jira/browse/MODPYTHON-47
     Project: mod_python
        Type: Bug
  Components: publisher  
    Versions: 3.1.4    
    Reporter: Graham Dumpleton
    Priority: Minor


If Apache is used to perform authentication, the Authorization header still gets
passed through to mod_python.publisher. Unfortunately, mod_python.publisher
authentication code in process_auth() will attempt to decode the contents of the
Authorization header even if there are no __auth__ or __access__ hooks defined
for authentication and access control within the published code itself.

The consequence of this is that if Digest authentication is used for AuthType
at level of Apache authentication, the process_auth() code will raise a bad request
error as it assumes Authorization header is always in format for Basic authentication
type and when it can't decode it, it raises an error.

What should happen is that any decoding of Authorization should only be done
if there is a __auth__ or __access__ hook that actually requires it. That way, if some
one uses Digest authentication at Apache configuration file level, provided that no
__auth__ or __access__ hooks are provided, there wouldn't be a problem.

See:

  http://www.modpython.org/pipermail/mod_python/2005-April/017911.html
  http://www.modpython.org/pipermail/mod_python/2005-April/017912.html

for additional information.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message