Opened 11 years ago
Last modified 11 years ago
#11287 new defect
Configurable regex (option) for TracStandalone server auth
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | normal | Milestone: | undecided |
Component: | web frontend/tracd | Version: | 1.0dev |
Severity: | minor | Keywords: | tracd authentication rpc |
Cc: | Steffen Hoffmann, Ryan J Ollos | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description (last modified by )
We have been discussing in dev@bloodhound.apache.org that it'd be useful to add an option in TracStandalone server in order to supply a regex meant to match URL path tracd auth authentication middlewares should act upon. We'd like to rely upon such new feature in spite of been able to write functional test cases combining both RPC requests as well as browser interaction.
At present if --auth
option is activated then trachacks:AccountManagerPlugin login form will not be accessible since at that path (digest) auth will be enforced to require valid user. OTOH if the aforementioned option is not set then RPC requests will not be autenticated.
The original discussion is archived here http://goo.gl/PQgKOL
Attachments (0)
Change History (6)
comment:1 by , 11 years ago
Description: | modified (diff) |
---|
follow-up: 3 comment:2 by , 11 years ago
comment:3 by , 11 years ago
Replying to rjollos:
I don't fully understand the issue yet, but maybe seeing the patch will help with that.
See this patch . After applying it e.g. by running tracd this way
$ tracd --hostname=localhost -r -p 8083 --basic-auth="env,/path/to/trac/.htpasswd,trac" /path/to/trac/env/ --auth-regex="^/login/.*$"
- anonymous access to
/login
is allowed e.g. to render AccountManagerPlugin login form - auth will be enforced for sub-paths e.g.
/login/rpc
for XmlRpcPlugin
I tested the patch against both trunk
and 1.0-stable
and it works.
comment:4 by , 11 years ago
Cc: | added |
---|
follow-up: 6 comment:5 by , 11 years ago
Keywords: | middleware regex qa testing removed |
---|---|
Milestone: | → undecided |
I don't think that is good idea to add the option which regular expression is used.
We could change to require authentication for /login/*
also.
-
trac/web/auth.py
diff --git a/trac/web/auth.py b/trac/web/auth.py index 6e029fc..b56d197 100644
a b class LoginModule(Component): 108 108 # IRequestHandler methods 109 109 110 110 def match_request(self, req): 111 return re.match('/(login|logout)/?$', req.path_info) 111 if req.path_info in ('/login', '/logout', '/logout/'): 112 return True 113 return req.path_info.startswith('/login/') 112 114 113 115 def process_request(self, req): 114 116 if req.path_info.startswith('/login'):
comment:6 by , 11 years ago
Replying to jomae:
I don't think that is good idea to add the option which regular expression is used.
We could change to require authentication for
/login/*
also.
[…]
IMO under certain conditions this will be either unsuitable (enforce no login as usual) or insufficient (e.g. Bloodhound product URL namespace, especially using custom web bootstrap handlers)
I don't fully understand the issue yet, but maybe seeing the patch will help with that.