[ckan-discuss] CKAN Basic Authentication bug
Jan Vansteenlandt
jan at okfn.be
Thu Aug 8 09:55:53 BST 2013
I suspected something like it with the "pop" function and the REMOTE_USER
header and such. Anyway thank you so much for providing the extra 30% of
the answer!!
>
> On Thu, Aug 8, 2013 at 10:29 AM, David Read <
> david.read at hackneyworkshop.com> wrote:
>
>> When someone makes a web request, it gets to your server (e.g. Apache)
>> which is configured to give it to mod_wsgi which sends it on to the
>> 'application' function from this python file. Normally in this file
>> you set `application = loadapp(...)` which is the CKAN application,
>> but here David has inserted a little bit of 'middleware' code that
>> modifies the request before it gets given to CKAN. The modification is
>> to remove the 'basic authentication' information.
>>
>> David
>>
>>
>> On 8 August 2013 09:09, Jan Vansteenlandt <jan at okfn.be> wrote:
>> > Hej,
>> >
>> >
>> > The solution works as suggested altering the apache.wsgi, adding line
>> 13 14
>> > 15 17 from this file to it.
>> > I'm still trying to fully undertand it as I've never programmed in
>> python
>> > before, let alone alter a wsgi. This overwrites the application hook
>> that
>> > normally accepts the authentication, and instead just calls the
>> _application
>> > which loads the configuration so that ckan can continue working or
>> > something? I just want to make a decent answer on my own stackoverflow
>> > thread so that people with the same problem have a thorough answer.
>> >
>> > Thanks a bunch already guys!
>> >
>> >
>> > Best regards,
>> >
>> > Jan
>> >
>> >
>> > On Wed, Aug 7, 2013 at 4:17 PM, Jan Vansteenlandt <jan at okfn.be> wrote:
>> >>
>> >> Hej guys,
>> >>
>> >> Thx to both the David's for their response, I'll try the last solution
>> >> that alters the apache.wsgi and get back to you whether or not this
>> was a
>> >> solution to my problem. If this works I'll update my stackoverflow
>> question
>> >> as well, and if I can credit David for provding an answer.
>> >>
>> >> Thanks!
>> >>
>> >>
>> >> On Wed, Aug 7, 2013 at 4:11 PM, Jan Vansteenlandt
>> >> <vansteenlandt.jan at gmail.com> wrote:
>> >>>
>> >>> Hej guys,
>> >>>
>> >>> Thx to both the David's for their response, I'll try the last solution
>> >>> that alters the apache.wsgi and get back to you whether or not this
>> was a
>> >>> solution to my problem. If this works I'll update my stackoverflow
>> question
>> >>> as well, and if I can credit David for provding an answer.
>> >>>
>> >>> Thanks!
>> >>>
>> >>>
>> >>> On Wed, Aug 7, 2013 at 4:06 PM, David Raznick <david.raznick at okfn.org
>> >
>> >>> wrote:
>> >>>>
>> >>>> Hello
>> >>>>
>> >>>> I think there is a simple way of fixing this. The issue is than
>> >>>> mod_wsgi adds REMOTE_USER to the environ and our auth will take that
>> and try
>> >>>> and match it to a user.
>> >>>>
>> >>>>
>> >>>>
>> https://github.com/okfn/ckanext-geodatagov/blob/master/deployment/etc/ckan/apache.wsgi#L13
>> >>>>
>> >>>> Taking lines 13,14,15,17 from the above and putting at the end of
>> your
>> >>>> apache.wsgi file should stop this from happening. When posting the
>> CKAN api
>> >>>> you will need to use the X-CKAN-API-Key header or specify another
>> header in
>> >>>> the config file.
>> >>>>
>> >>>> Thanks
>> >>>>
>> >>>> David
>> >>>>
>> >>>>
>> >>>> On 7 August 2013 13:39, David Read <david.read at hackneyworkshop.com>
>> >>>> wrote:
>> >>>>>
>> >>>>> I guess this is because sets the Authorization header, which the web
>> >>>>> interface seems to be picking up. I don't think CKAN using this
>> header
>> >>>>> is an abuse of HTTP (although correct me if I'm wrong), so having
>> the
>> >>>>> Basic Auth on top of CKAN is just a use case that hasn't been
>> >>>>> considered before. I expect this could be solved relatively easily
>> in
>> >>>>> the CKAN code, so do dive in or commission someone to submit a
>> >>>>> suitable pull request.
>> >>>>>
>> >>>>> David
>> >>>>>
>> >>>>> On 5 August 2013 14:02, Jan Vansteenlandt <jan at okfn.be> wrote:
>> >>>>> > Hi all,
>> >>>>> >
>> >>>>> > I've got the following problem for which I couldn't find any
>> >>>>> > solutions
>> >>>>> > online. I have installed a CKAN on a webserver and it's necessary
>> >>>>> > that
>> >>>>> > before anyone can even enter the CKAN instance they should enter
>> >>>>> > their Basic
>> >>>>> > Authentication credentials first.
>> >>>>> >
>> >>>>> > This is easily done by providing an location tag with auth
>> modules in
>> >>>>> > the
>> >>>>> > .htaccess of the virtualhost. Now, as this works nicely once for
>> >>>>> > after
>> >>>>> > authentication I get to see my CKAN instance, it doesn't allow me
>> to
>> >>>>> > log
>> >>>>> > into CKAN itself. If I hit the login button, it returns a too many
>> >>>>> > redirects
>> >>>>> > and if I hit register it tells me I'm already logged in....even
>> >>>>> > though I get
>> >>>>> > no panel or anything. So it thinks I'm already logged in because
>> of
>> >>>>> > the
>> >>>>> > server Basic Authentication in front of the CKAN instance.
>> >>>>> >
>> >>>>> > So my question is, is this normal behaviour, I think a Basic
>> >>>>> > Authentication
>> >>>>> > shouldn't be influencing with the internal authentication of
>> CKAN? If
>> >>>>> > this
>> >>>>> > however is indeed not possible, what would you suggest to allow
>> for
>> >>>>> > similar
>> >>>>> > behaviour, so that people first have to log in before being able
>> to
>> >>>>> > see the
>> >>>>> > CKAN itself.
>> >>>>> >
>> >>>>> > I'm working on a 2.0.1 version of CKAN.
>> >>>>> >
>> >>>>> > Best regards,
>> >>>>> >
>> >>>>> > Jan
>> >>>>> >
>> >>>>> > _______________________________________________
>> >>>>> > ckan-discuss mailing list
>> >>>>> > ckan-discuss at lists.okfn.org
>> >>>>> > http://lists.okfn.org/mailman/listinfo/ckan-discuss
>> >>>>> > Unsubscribe: http://lists.okfn.org/mailman/options/ckan-discuss
>> >>>>> >
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> ckan-discuss mailing list
>> >>>>> ckan-discuss at lists.okfn.org
>> >>>>> http://lists.okfn.org/mailman/listinfo/ckan-discuss
>> >>>>> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-discuss
>> >>>>
>> >>>>
>> >>>
>> >>
>> >
>> >
>> > _______________________________________________
>> > ckan-discuss mailing list
>> > ckan-discuss at lists.okfn.org
>> > http://lists.okfn.org/mailman/listinfo/ckan-discuss
>> > Unsubscribe: http://lists.okfn.org/mailman/options/ckan-discuss
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-discuss/attachments/20130808/bfa498be/attachment.htm>
More information about the ckan-discuss
mailing list