WSGI as AuthFormProvider

Question

Is it possible to use 'wsgi' as an AuthFormProvider in Apache2.4?

As a first attempt I edited the examples found here. The configuration now looks like this but does not work:

<Location "/test">
    AuthType Form
    AuthFormProvider wsgi
    AuthName "test"
    AuthFormLoginRequiredLocation /login.html
    WSGIAuthUserScript /path/to/django/wsgi.py
    WSGIAuthGroupScript /path/to/django/wsgi.py
    Require Group test
    Require valid-user
    Session On
    SessionCookieName xyz path/
    SessionCrypotPassphrase 123456789
</Location>

score 2 · Answer 1 · answered Sep 20 '14 at 05:25

For a start, you must be using mod_wsgi 4.3.0 for WSGIAuthGroupScript to work with Apache 2.4. The internals of Apache 2.4 changed from 2.2 and this was only realised recently. The issue was only addressed in the latest version of mod_wsgi. If you are stuck on an older mod_wsgi version from a Linux distribution and refuse to update, then you will be out of luck.

Second, you must use:

Require wsgi-group test

Under Apache 2.4, you cannot use:

Require group test

if using the WSGI auth provider.

This is again because of changes in Apache 2.4.

Overall I would suggest you post your question to the mod_wsgi mailing list and I will deal with it there. Here on StackOverflow is a terrible place for any sort of lengthy back and forth discussion which I can easily see this turn into.

For what its worth, I have been keen to investigate mod_session interaction with mod_wsgi but never got the chance so certainly interesting in helping to explore this if you jump over to the mod_wsgi mailing list instead.

Thank you very much. I've read your solution [here|https://github.com/GrahamDumpleton/mod_wsgi/issues/25] and changed the configuration but it didn't quite do the job to get the whole login process running with mod_auth_form. For my website I had to change "AuthFormLoginRequiredLocation /login.html" to "ErrorDocument 401 /login.html". The examples on the Apache Website are not very helpful and easy to misunderstand. — KebdnK, Sep 21 '14 at 18:48

KebdnK · Accepted Answer · 2014-09-22T09:17:34.957

The solution is that I had to update to mod_wsgi 4.3.0 and change the configuration as Graham Dumpleton mentioned in his answer (or here).

In addition to the update I removed the directive AuthFormLoginRequiredLocation and added an ErrorDocument directive instead.

The working configuration now looks like this:

<Location "/test">
    AuthType Form
    AuthFormProvider wsgi
    AuthName "test"
    ErrorDocument 401 /login.html
    WSGIAuthUserScript /path/to/django/wsgi.py
    WSGIAuthGroupScript /path/to/django/wsgi.py
    <RequireAll>
        Require wsgi-group test
        Require valid-user
    </RequireAll>
    Session On
    SessionCookieName xyz path/
    SessionCrypotPassphrase 123456789
</Location>

As I said before, in mod_wsgi 4.3.0 you must use 'Require wsgi-group test' and not 'Require group test'. What you have will not be triggering the mod_wsgi auth provider but trying to apply one related to a different Apache module. — Graham Dumpleton, Sep 21 '14 at 21:06

WSGI as AuthFormProvider

2 Answers2

Linked