Issue 1002921
Created on 2004-08-03 21:27 by wcooley, last changed 2016-04-11 00:14 by rouilj.
File name |
Uploaded |
Description |
Edit |
Remove |
roundup_server.py.patch
|
wcooley,
2004-08-03 21:27
|
Implements REMOTE_USER for proxied server |
|
|
msg3342 |
Author: [hidden] (wcooley) |
Date: 2004-08-03 21:27 |
|
Using 0.7.6, running as a stand-alone web-server with
Apache operating as proxy on front-end. Read about
REMOTE_USER and discovered it only works when run as a
cgi-bin. Roundup makes no use of the Authorization
header passed to it when used stand-alone with an
authenticating Apache proxy. The attached patch
extracts the username from the Authorization header and
passes it as REMOTE_USER.
|
msg3343 |
Author: [hidden] (richard) |
Date: 2004-10-07 23:20 |
|
Logged In: YES
user_id=6405
This patch doesn't actually verify the password used and
therefore makes possible a circumvention of authentication by
a client connecting directly to the roundup-server supplying an
Authentication header with "admin:gibberish" as the Basic auth
information.
|
msg3344 |
Author: [hidden] (wcooley) |
Date: 2004-11-20 05:14 |
|
Logged In: YES
user_id=4480
Yes, you're correct. If a front-end proxy is being trusted
to authenticate, then this is the correct behaviour, but
otherwise it would be a nasty security hole. I'll add a
config variable to enable trusting a front-end proxy to have
performed the authentication, in addition to integrating
with the patch from #1067690. If you don't mind, I'll
re-open this and submit my patch here. [I never noticed
your response because the e-mail address I had registered
with SF no longer worked; I've updated it and expect I will
now see any responses.]
|
msg3345 |
Author: [hidden] (richard) |
Date: 2005-01-04 01:49 |
|
Logged In: YES
user_id=6405
Sorry, forgot to respond. Go for it, generate the patch. Unlikely to make it
into 0.7 at this late stage though.
|
msg5518 |
Author: [hidden] (rouilj) |
Date: 2016-04-11 00:14 |
|
Looking at the current roundup/cgi/client.py I see:
elif self.env.get('HTTP_AUTHORIZATION', ''):
# try handling Basic Auth ourselves
auth = self.env['HTTP_AUTHORIZATION']
scheme, challenge = auth.split(' ', 1)
if scheme.lower() == 'basic':
which to me looks like it has implemented what was requested.
Probably as part of issue1067690 which is closed.
|
|
Date |
User |
Action |
Args |
2016-04-11 00:14:06 | rouilj | set | status: open -> closed resolution: fixed messages:
+ msg5518 nosy:
+ rouilj |
2004-08-03 21:27:35 | wcooley | create | |
|