Edgewall Software
Modify

Opened 9 years ago

Last modified 9 years ago

#11287 new defect

Configurable regex (option) for TracStandalone server auth

Reported by: Olemis Lang <olemis+trac@…> Owned by:
Priority: normal Milestone: undecided
Component: web frontend/tracd Version: 1.0dev
Severity: minor Keywords: tracd authentication rpc
Cc: Steffen Hoffmann, Ryan J Ollos Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Ryan J Ollos)

We have been discussing in dev@bloodhound.apache.org that it'd be useful to add an option in TracStandalone server in order to supply a regex meant to match URL path tracd auth authentication middlewares should act upon. We'd like to rely upon such new feature in spite of been able to write functional test cases combining both RPC requests as well as browser interaction.

At present if --auth option is activated then trachacks:AccountManagerPlugin login form will not be accessible since at that path (digest) auth will be enforced to require valid user. OTOH if the aforementioned option is not set then RPC requests will not be autenticated.

The original discussion is archived here http://goo.gl/PQgKOL

Attachments (0)

Change History (6)

comment:1 by Ryan J Ollos, 9 years ago

Description: modified (diff)

comment:2 by Ryan J Ollos, 9 years ago

I don't fully understand the issue yet, but maybe seeing the patch will help with that.

in reply to:  2 comment:3 by olemis, 9 years ago

Replying to rjollos:

I don't fully understand the issue yet, but maybe seeing the patch will help with that.

See this patch . After applying it e.g. by running tracd this way

$ tracd --hostname=localhost -r -p 8083 --basic-auth="env,/path/to/trac/.htpasswd,trac" /path/to/trac/env/ --auth-regex="^/login/.*$"
  1. anonymous access to /login is allowed e.g. to render AccountManagerPlugin login form
  2. auth will be enforced for sub-paths e.g. /login/rpc for XmlRpcPlugin

I tested the patch against both trunk and 1.0-stable and it works.

comment:4 by Ryan J Ollos, 9 years ago

Cc: Steffen Hoffmann Ryan J Ollos added

comment:5 by Jun Omae, 9 years ago

Keywords: middleware regex qa testing removed
Milestone: undecided

I don't think that is good idea to add the option which regular expression is used.

We could change to require authentication for /login/* also.

  • trac/web/auth.py

    diff --git a/trac/web/auth.py b/trac/web/auth.py
    index 6e029fc..b56d197 100644
    a b class LoginModule(Component):  
    108108    # IRequestHandler methods
    109109
    110110    def match_request(self, req):
    111         return re.match('/(login|logout)/?$', req.path_info)
     111        if req.path_info in ('/login', '/logout', '/logout/'):
     112            return True
     113        return req.path_info.startswith('/login/')
    112114
    113115    def process_request(self, req):
    114116        if req.path_info.startswith('/login'):

in reply to:  5 comment:6 by Olemis Lang <olemis+trac@…>, 9 years ago

Replying to jomae:

I don't think that is good idea to add the option which regular expression is used.

We could change to require authentication for /login/* also.

[…]

IMO under certain conditions this will be either unsuitable (enforce no login as usual) or insufficient (e.g. Bloodhound product URL namespace, especially using custom web bootstrap handlers)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.