Opened 12 years ago
Last modified 12 years ago
#20589 new Bug
contrib.auth.handlers.modwsgi fails for some backends
Reported by: | Andre Bell | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 1.5 |
Severity: | Normal | Keywords: | handlers, modwsgi |
Cc: | bmispelon@… | Triage Stage: | Accepted |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
In contrib.auth.handlers.modwsgi authentication is implemented with a check_password function, which in turn is based on "user.check_password". However, this forces a check of the given password against the password stored in the database.
For some backends like, e.g. django_auth_ldap, no usable password is stored in the database. Thus, this check will fail.
Therefore the function should be implemented using a call to "authenticate", which will correctly verify the given password against the different authentication backends.
Change History (4)
comment:1 by , 12 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 12 years ago
Cc: | added |
---|
comment:3 by , 12 years ago
Returning None allows Apache to try a different authentication provider if more than one was setup in Apache. The question is whether when using Django for authentication that people would even want to do that or whether one views Django as the only authoritative source.
comment:4 by , 12 years ago
How about using authenticate to try all django authentication provider (backends) and if authenticate fails use check_password.
In that case failed authentications will still allow apache's other auth provider.
One issue (and probably the reason why
check_password
is implemented that way) is that, according to the mod_wsgi documentation [1], the handler function should returnNone
,True
, orFalse
depending on whether the user exists in the database and whether the provided password is correct or not (respectively).With
authenticate
, we either get a user object orNone
which means we can't distinguish between a non-existing user and a bad password.I'm not sure how much of a problem it'd be to return
None
instead ofFalse
in case of an invalid password but it might break backwards-compatibility so we should tread carefully.[1] http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms#Apache_Authentication_Provider