[ckan-discuss] CKAN Basic Authentication bug

Thu Aug 8 09:29:26 BST 2013

When someone makes a web request, it gets to your server (e.g. Apache)
which is configured to give it to mod_wsgi which sends it on to the
'application' function from this python file. Normally in this file
you set `application = loadapp(...)` which is the CKAN application,
but here David has inserted a little bit of 'middleware' code that
modifies the request before it gets given to CKAN. The modification is
to remove the 'basic authentication' information.

David

On 8 August 2013 09:09, Jan Vansteenlandt <jan at okfn.be> wrote:
> Hej,
>
>
> The solution works as suggested altering the apache.wsgi, adding line 13 14
> 15 17 from this file to it.
> I'm still trying to fully undertand it as I've never programmed in python
> before, let alone alter a wsgi. This overwrites the application hook that
> normally accepts the authentication, and instead just calls the _application
> which loads the configuration so that ckan can continue working or
> something? I just want to make a decent answer on my own stackoverflow
> thread so that people with the same problem have a thorough answer.
>
> Thanks a bunch already guys!
>
>
> Best regards,
>
> Jan
>
>
> On Wed, Aug 7, 2013 at 4:17 PM, Jan Vansteenlandt <jan at okfn.be> wrote:
>>
>> Hej guys,
>>
>> Thx to both the David's for their response, I'll try the last solution
>> that alters the apache.wsgi and get back to you whether or not this was a
>> solution to my problem. If this works I'll update my stackoverflow question
>> as well, and if I can credit David for provding an answer.
>>
>> Thanks!
>>
>>
>> On Wed, Aug 7, 2013 at 4:11 PM, Jan Vansteenlandt
>> <vansteenlandt.jan at gmail.com> wrote:
>>>
>>> Hej guys,
>>>
>>> Thx to both the David's for their response, I'll try the last solution
>>> that alters the apache.wsgi and get back to you whether or not this was a
>>> solution to my problem. If this works I'll update my stackoverflow question
>>> as well, and if I can credit David for provding an answer.
>>>
>>> Thanks!
>>>
>>>
>>> On Wed, Aug 7, 2013 at 4:06 PM, David Raznick <david.raznick at okfn.org>
>>> wrote:
>>>>
>>>> Hello
>>>>
>>>> I think there is a simple way of fixing this.  The issue is than
>>>> mod_wsgi adds REMOTE_USER to the environ and our auth will take that and try
>>>> and match it to a user.
>>>>
>>>>
>>>> https://github.com/okfn/ckanext-geodatagov/blob/master/deployment/etc/ckan/apache.wsgi#L13
>>>>
>>>> Taking lines 13,14,15,17 from the above and putting at the end of your
>>>> apache.wsgi file should stop this from happening.  When posting the CKAN api
>>>> you will need to use the  X-CKAN-API-Key header or specify another header in
>>>> the config file.
>>>>
>>>> Thanks
>>>>
>>>> David
>>>>
>>>>
>>>> On 7 August 2013 13:39, David Read <david.read at hackneyworkshop.com>
>>>> wrote:
>>>>>
>>>>> I guess this is because sets the Authorization header, which the web
>>>>> interface seems to be picking up. I don't think CKAN using this header
>>>>> is an abuse of HTTP (although correct me if I'm wrong), so having the
>>>>> Basic Auth on top of CKAN is just a use case that hasn't been
>>>>> considered before. I expect this could be solved relatively easily in
>>>>> the CKAN code, so do dive in or commission someone to submit a
>>>>> suitable pull request.
>>>>>
>>>>> David
>>>>>
>>>>> On 5 August 2013 14:02, Jan Vansteenlandt <jan at okfn.be> wrote:
>>>>> > Hi all,
>>>>> >
>>>>> > I've got the following problem for which I couldn't find any
>>>>> > solutions
>>>>> > online. I have installed a CKAN on a webserver and it's necessary
>>>>> > that
>>>>> > before anyone can even enter the CKAN instance they should enter
>>>>> > their Basic
>>>>> > Authentication credentials first.
>>>>> >
>>>>> > This is easily done by providing an location tag with auth modules in
>>>>> > the
>>>>> > .htaccess of the virtualhost. Now, as this works nicely once for
>>>>> > after
>>>>> > authentication I get to see my CKAN instance, it doesn't allow me to
>>>>> > log
>>>>> > into CKAN itself. If I hit the login button, it returns a too many
>>>>> > redirects
>>>>> > and if I hit register it tells me I'm already logged in....even
>>>>> > though I get
>>>>> > no panel or anything. So it thinks I'm already logged in because of
>>>>> > the
>>>>> > server Basic Authentication in front of the CKAN instance.
>>>>> >
>>>>> > So my question is, is this normal behaviour, I think a Basic
>>>>> > Authentication
>>>>> > shouldn't be influencing with the internal authentication of CKAN? If
>>>>> > this
>>>>> > however is indeed not possible, what would you suggest to allow for
>>>>> > similar
>>>>> > behaviour, so that people first have to log in before being able to
>>>>> > see the
>>>>> > CKAN itself.
>>>>> >
>>>>> > I'm working on a 2.0.1 version of CKAN.
>>>>> >
>>>>> > Best regards,
>>>>> >
>>>>> > Jan
>>>>> >
>>>>> > _______________________________________________
>>>>> > ckan-discuss mailing list
>>>>> > ckan-discuss at lists.okfn.org
>>>>> > http://lists.okfn.org/mailman/listinfo/ckan-discuss
>>>>> > Unsubscribe: http://lists.okfn.org/mailman/options/ckan-discuss
>>>>> >
>>>>>
>>>>> _______________________________________________
>>>>> ckan-discuss mailing list
>>>>> ckan-discuss at lists.okfn.org
>>>>> http://lists.okfn.org/mailman/listinfo/ckan-discuss
>>>>> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-discuss
>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> ckan-discuss mailing list
> ckan-discuss at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ckan-discuss
> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-discuss
>