[Zope] Zope PAS for pubcookie authentication

Jens Vagelpohl jens at dataflake.org
Tue Nov 21 17:43:33 EST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 21 Nov 2006, at 22:52, cristopher pierson ewing wrote:
> Pubcookie sets up a situation using an apache module where requests  
> to protected URLs get forwarded to an auth server where username  
> and password are checked, and a cookie is set containing the  
> username.  There is an additional apache mod called mod_fba (fake  
> basic authentication) which then takes the information returned by  
> the pubcookie server and packages it as if it were a basic  
> authentication, setting the login to the username returned by  
> pubcookie.

I don't know how mod_fba works, but you seem to imply that for Zope,  
running behind Apache, the result looks just like standard Basic  
auth. Since this is already supported, why do you think you need your  
own plugin for extracting the credentials?


> I've started messing with this all by using the PASPlugins plugin  
> called apachepas as a base.  It seemed a good place to start as the  
> authentication piece is handled by apache.
>
> Apachepas defines two plugins, an ExtractionPlugin and an  
> AuthPlugin.  The extraction plugin as I've rewritten it contains  
> the following method:
>
>   def extractCredentials(self,request):
>     """
>     extract credentials
>     """
>     user_id = request.getHeader('REMOTE_USER', None)
>     if not user_id:
>       return None
>     return {'user_id': user_id}

If mod_fba sets standard Basic auth headers you will not need this,  
matter of fact this code will never yield any results since the  
REMOTE_USER header has nothing to do with Basic auth, and won't be  
there at all.


> The AuthPlugin as I've rewritten it contains the following method:
>
>   def authenticateCredentials(self, credentials):
>     """See IAuthenticationPlugin.
>     """
>     user_id = credentials.get('login', None)
>     if user_id is None:
>       return None
>     return user_id, user_id
>
> Now, here's my first question.  Astute observers may notice that  
> the name for the login name in the credentials used by  
> authenticateCredentials is different than the name set for the  
> login in extractCredentials.  This is because when I peeked at the  
> credentials passed in to authenticateCredentials, it appears to be  
> using a different set of credentials than I set.  I'm thinking I  
> must be missing a step in there somewhere, but I don't know what it  
> is.  Is there some method being called somewhere that takes the  
> {'user_id': user_id} tuple returned by extractCredentials and  
> repackages it into a credentials tuple that looks like this:
>
> {'extractor': 'credentials_basic_auth', 'login': 'myname',  
> 'password': 'password', remote_host': '', 'remote_address':  
> 'some.address.com'}?

As the mapping tells you, the plugin responsible for getting these  
credentials is "credentials_basic_auth", which is most likely a  
HTTPBasicAuthHelper plugin, and you will see it right in your  
PluggableAuthService object.


> Or, is it that my extractCredentials plugin is not being used,  
> despite being the first listed on the 'active' list for extraction  
> plugins?

If your Apache in front sets real basic auth headers, as it seems to  
be doing, your own plugin will never be successful, it looks for the  
wrong things. As stated above, you do not need it.


> Second question:
> if it is possible that the credentials returned might look  
> different depending on which extraction plugin is used, is there a  
> good way for me to code the authenticateCredentials plugin so that  
> it can get the right element as user_id and return it?  Where do  
> the stock plugins for PAS live on disk?  I'd love to look them over.

Look at the PluggableAuthService products and find the interfaces  
folder in there. Those files describe the interfaces used.


> Third question:
> How do plugins get selected for PAS tasks like extraction?  Is  
> there a way to force the selection of my tool?  or would that break  
> everything?

Your tool is being selected, it just does the wrong thing. Get rid of  
your extractor.

jens


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFY4EWRAx5nvEhZLIRAmF9AJ9ONXjbrLun/aK0RkDUK71qC+iZLwCfXFCr
puHJeSTgQLppO9s+qDKqlG8=
=eO20
-----END PGP SIGNATURE-----

More information about the Zope mailing list