[ckan-discuss] CKAN Basic Authentication bug

Jan Vansteenlandt jan at okfn.be
Thu Aug 8 09:09:16 BST 2013


Hej,


The solution works as suggested altering the apache.wsgi, adding line 13 14
15 17 from this
file<https://github.com/okfn/ckanext-geodatagov/blob/master/deployment/etc/ckan/apache.wsgi#L13>
to
it.
I'm still trying to fully undertand it as I've never programmed in python
before, let alone alter a wsgi. This overwrites the application hook that
normally accepts the authentication, and instead just calls the
_application which loads the configuration so that ckan can continue
working or something? I just want to make a decent answer on my own
stackoverflow thread so that people with the same problem have a thorough
answer.

Thanks a bunch already guys!


Best regards,

Jan


On Wed, Aug 7, 2013 at 4:17 PM, Jan Vansteenlandt <jan at okfn.be> wrote:

> Hej guys,
>
> Thx to both the David's for their response, I'll try the last solution
> that alters the apache.wsgi and get back to you whether or not this was a
> solution to my problem. If this works I'll update my stackoverflow question
> as well, and if I can credit David for provding an answer.
>
> Thanks!
>
>
> On Wed, Aug 7, 2013 at 4:11 PM, Jan Vansteenlandt <
> vansteenlandt.jan at gmail.com> wrote:
>
>> Hej guys,
>>
>> Thx to both the David's for their response, I'll try the last solution
>> that alters the apache.wsgi and get back to you whether or not this was a
>> solution to my problem. If this works I'll update my stackoverflow question
>> as well, and if I can credit David for provding an answer.
>>
>> Thanks!
>>
>>
>> On Wed, Aug 7, 2013 at 4:06 PM, David Raznick <david.raznick at okfn.org>wrote:
>>
>>> Hello
>>>
>>> I think there is a simple way of fixing this.  The issue is than
>>> mod_wsgi adds REMOTE_USER to the environ and our auth will take that and
>>> try and match it to a user.
>>>
>>>
>>> https://github.com/okfn/ckanext-geodatagov/blob/master/deployment/etc/ckan/apache.wsgi#L13
>>>
>>> Taking lines 13,14,15,17 from the above and putting at the end of your
>>> apache.wsgi file should stop this from happening.  When posting the CKAN
>>> api you will need to use the  X-CKAN-API-Key header or specify another
>>> header in the config file.
>>>
>>> Thanks
>>>
>>> David
>>>
>>>
>>> On 7 August 2013 13:39, David Read <david.read at hackneyworkshop.com>wrote:
>>>
>>>> I guess this is because sets the Authorization header, which the web
>>>> interface seems to be picking up. I don't think CKAN using this header
>>>> is an abuse of HTTP (although correct me if I'm wrong), so having the
>>>> Basic Auth on top of CKAN is just a use case that hasn't been
>>>> considered before. I expect this could be solved relatively easily in
>>>> the CKAN code, so do dive in or commission someone to submit a
>>>> suitable pull request.
>>>>
>>>> David
>>>>
>>>> On 5 August 2013 14:02, Jan Vansteenlandt <jan at okfn.be> wrote:
>>>> > Hi all,
>>>> >
>>>> > I've got the following problem for which I couldn't find any solutions
>>>> > online. I have installed a CKAN on a webserver and it's necessary that
>>>> > before anyone can even enter the CKAN instance they should enter
>>>> their Basic
>>>> > Authentication credentials first.
>>>> >
>>>> > This is easily done by providing an location tag with auth modules in
>>>> the
>>>> > .htaccess of the virtualhost. Now, as this works nicely once for after
>>>> > authentication I get to see my CKAN instance, it doesn't allow me to
>>>> log
>>>> > into CKAN itself. If I hit the login button, it returns a too many
>>>> redirects
>>>> > and if I hit register it tells me I'm already logged in....even
>>>> though I get
>>>> > no panel or anything. So it thinks I'm already logged in because of
>>>> the
>>>> > server Basic Authentication in front of the CKAN instance.
>>>> >
>>>> > So my question is, is this normal behaviour, I think a Basic
>>>> Authentication
>>>> > shouldn't be influencing with the internal authentication of CKAN? If
>>>> this
>>>> > however is indeed not possible, what would you suggest to allow for
>>>> similar
>>>> > behaviour, so that people first have to log in before being able to
>>>> see the
>>>> > CKAN itself.
>>>> >
>>>> > I'm working on a 2.0.1 version of CKAN.
>>>> >
>>>> > Best regards,
>>>> >
>>>> > Jan
>>>> >
>>>> > _______________________________________________
>>>> > ckan-discuss mailing list
>>>> > ckan-discuss at lists.okfn.org
>>>> > http://lists.okfn.org/mailman/listinfo/ckan-discuss
>>>> > Unsubscribe: http://lists.okfn.org/mailman/options/ckan-discuss
>>>> >
>>>>
>>>> _______________________________________________
>>>> ckan-discuss mailing list
>>>> ckan-discuss at lists.okfn.org
>>>> http://lists.okfn.org/mailman/listinfo/ckan-discuss
>>>> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-discuss
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-discuss/attachments/20130808/cd5eebaf/attachment-0001.htm>


More information about the ckan-discuss mailing list