Mailing List Archive

I don't think you want to do the authentication in Python at all.
Instead, you need to configure the Web server to do authentication.
If you configure the server properly, users won't be able to run your
CGI scripts until the server has checked their username and password.

Jeremy

Jeremy Hylton (jeremy@cnri.reston.va.us) wrote:
> If you configure the server properly, users won't be able to run your
> CGI scripts until the server has checked their username and password.

Actually, I want the script to run because it pulls the "REMOTE_USER" key
and populates a field in a form. If I knew that authentication through the
server would allow me to pull this key, I wouldn't be authenticating through
the script. Maybe the question / issue is that I don't understand the use
of the REMOTE_USER key.

Matthew T Lineen wrote:

> Jeremy Hylton (jeremy@cnri.reston.va.us) wrote:
> > If you configure the server properly, users won't be able to run your
> > CGI scripts until the server has checked their username and password.
>
> Actually, I want the script to run because it pulls the "REMOTE_USER" key
> and populates a field in a form. If I knew that authentication through the
> server would allow me to pull this key, I wouldn't be authenticating through
> the script. Maybe the question / issue is that I don't understand the use
> of the REMOTE_USER key.


I think that is the issue here. The previous poster is correct, but it needs a
little explaining. If you set up a web-server with no authentication then
environ['REMOTE_USER'] is not set. The 'REMOTE_USER' environment variable is
set after client-server authentication has been performed. Basically it works
as follows

The user ask for a URL

..../name.cgi

The server sees that authentication is required and sends back a 401 error.

The client receives this a pops up an authentication window.

The user enters their details and the request is passed back to the server with
the Authorization information in plain text (well base64) in the header.

If this information is accurate (userid and password match) then the server
sets the environ['REMOTE_USER'] to the userid.

This is all that is passed to the cgi script, so all you have to do is set up
the web server correctly and then use the value of REMOTE_USER in your script.

Any further requests to a URL which is part of the same path (ie.
.../name.cgi/0/30/1?dothis) results in the client sending back the
Authorization header each time stopping the authentication window repeatedly
popping up.

Hope this helps.

Steve.

Stephen Crompton <scrompton@quantisci.co.uk> writes:

[Excellent explanation of HTTP-Authentication snipped]

If you still need to do the authentication yourself, e.g. because the
username/password combinations are held in a database that is not
supported by your Webserver: It can be done and how you do it depends
on the type of server you use. I have a working solution for Apache
(which works by (ab)using the rewrite-module) and a solution for Roxen
Challenger that I'll test in Real Life(tm) soon.



Jo.


--
xx_nospam@delorges.in-berlin.de
is a valid address - ist eine gueltige Adresse.