You are viewing a plain text version of this content. The canonical link for it is here.

Posted to mod_python-dev@quetz.apache.org by "Graham Dumpleton (JIRA)" <ji...@apache.org> on 2007/04/02 13:21:32 UTC

[jira] Closed: (MODPYTHON-47) Digest Authorization header causes bad request error.

     [ https://issues.apache.org/jira/browse/MODPYTHON-47?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Graham Dumpleton closed MODPYTHON-47.
-------------------------------------


> Digest Authorization header causes bad request error.
> -----------------------------------------------------
>
>                 Key: MODPYTHON-47
>                 URL: https://issues.apache.org/jira/browse/MODPYTHON-47
>             Project: mod_python
>          Issue Type: Bug
>          Components: publisher
>    Affects Versions: 3.1.4
>            Reporter: Graham Dumpleton
>         Assigned To: Graham Dumpleton
>            Priority: Minor
>             Fix For: 3.3
>
>         Attachments: MP47_20060307_grahamd_1.diff, MP47_20060309_grahamd_2.diff
>
>
> If Apache is used to perform authentication, the Authorization header still gets
> passed through to mod_python.publisher. Unfortunately, mod_python.publisher
> authentication code in process_auth() will attempt to decode the contents of the
> Authorization header even if there are no __auth__ or __access__ hooks defined
> for authentication and access control within the published code itself.
> The consequence of this is that if Digest authentication is used for AuthType
> at level of Apache authentication, the process_auth() code will raise a bad request
> error as it assumes Authorization header is always in format for Basic authentication
> type and when it can't decode it, it raises an error.
> What should happen is that any decoding of Authorization should only be done
> if there is a __auth__ or __access__ hook that actually requires it. That way, if some
> one uses Digest authentication at Apache configuration file level, provided that no
> __auth__ or __access__ hooks are provided, there wouldn't be a problem.
> See:
>   http://www.modpython.org/pipermail/mod_python/2005-April/017911.html
>   http://www.modpython.org/pipermail/mod_python/2005-April/017912.html
> for additional information.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.