Contents
Force HTTP authentication from within Trac
Description
Allows you to protect certain paths with HTTP authentication. The AccountManagerPlugin is used to check passwords.
Primarily this is meant to be used with the XmlRpcPlugin so it will work while using AccountManager's form-based logins.
Bugs/Feature Requests
Existing bugs and feature requests for HttpAuthPlugin are here.
If you have any issues, create a new ticket.
Download
Download the zipped source from here.
Source
You can check out HttpAuthPlugin from here using Subversion, or browse the source with Trac. The version in 0.10 is also working with 0.11.2.1 release, at least with mod_python.
Example
To enable:
[components] httpauth.* = enabled
To add additional paths:
[httpauth] paths = /xmlrpc, /login/xmlrpc
To add additional formats, like rss use this:
[httpauth] formats = rss
Troubleshooting
Authentication issues while using Trac with mod_wsgi
Symptom
HTTP authentication just does not want to work. The Authorization header is passed with the HTTP request, but it seems to be lost on the way.
If you set the loglevel to INFO, then you will get this entry in your trac.log:
Trac[filter] INFO: HTTPAuthFilter: No/bad authentication data given, returing 403
It is already in Ticket #1169. I've quoted it here, since the solution is hard to find otherwise.
Cause
If you're using mod_wsgi, authorization information is stripped before passing to the WSGI application.
Solution
Turn WSGIPassAuthorization On in your Apache configuration for it to work.
See also ConfigurationDirectives
Recent Changes
[12394] by jun66j5 on 11/29/12 18:26:08
Fixed broken communication between client on tracd using HTTP/1.1 if sending 401 Unauthorized. Sends Connection: close header in this case.
Closes #8558.
[6675] by pacopablo on 10/11/09 05:07:19
Set Content-Length header. Needed for API change in 0.12. See http://trac.edgewall.org/wiki/TracDev/ApiChanges/0.12?version=8#tracdandHTTP1.1
While not strictly necessary for anything prior to trunk, the change is still worth while.
[6674] by pacopablo on 10/11/09 04:00:36
Set the REMOTE_USER. Not strictly necessary, but should be done. Helps in cases with multiple LoginModule? objects being used elsewhere
[3416] by coderanger on 03/25/08 07:39:08
Change my email to avoid Yahoo, which decided to brake my scraper script recently.
Author/Contributors
Author: coderanger
Author: none
Contributors: