[Twisted-web] SSPI authentication (direct, or behind Apache)

Paul Moore pf_moore at yahoo.co.uk
Fri May 19 05:55:11 CDT 2006


I want to set up an application (MoinMoin, to be specific) running as a Twisted
web service. I'm putting it behind an Apache server (for reasons that will
hopefully become clearer below...)

I have no problem setting up the application running its own service, and no
problem setting up Apache2 as a reverse proxy, using mod_proxy.

However, I also want Apache to authenticate users for me. The reason for this is
that I want user credentials to be picked up automatically, from the user's
Windows login. (This is a corporate intranet, where single sign-on based on the
initial Windows login is the norm for all applications).

I can set up Apache to authenticate, using mod_sspi, and this works fine for
static web pages, or CGI. But my Twisted server doesn't see the username from
behind the proxy.

Does anyone know how I can set this up? I can see two potential ways of getting
this to work. One is to set up the Twisted app to authenticate via SSPI itself 
- I've got this working with a non-Twisted application which does support SSPI,
but I don't know of any equivalent of mod_sspi for twisted. The second approach
would be to get mod_proxy to somehow pass the user ID across to the target
service. However, I'm not even clear if this is possible with mod_proxy -
looking at the HTTP spec, I can't see a way of passing an "authenticated user"
successfully.

Can anyone enlighten me? If I can't get a solution like this, I may have to
resort to using FastCGI (which I've never managed to set up successfully) or
mod_python (what I'm using for the moment - but it ties down the Apache and
Python versions I can use a bit too tightly).

Thanks for any suggestions,
Paul.




More information about the Twisted-web mailing list