On 2016-02-19 19:32, Bert JW Regeer wrote: > AuthTktAuthenticationPolicy by default pulls the domain out of the the WSGI > environment using WebOb. If you leave the domain setting blank, it should do > the right thing, so long as your WSGI server correctly sets up the HTTP_HOST > environment variable.
Thanks for the hint, unfortunately the header this company reverse proxy sets is different and there is no HTTP_HOST set. And since its a bigger company its outside of projects scope to change this *shrug*. Making the header used configurable would help... best Jens > Bert > >> On Feb 19, 2016, at 07:18, Jens W. Klein <[email protected]> wrote: >> >> I fear did get all the details of authtkt in pyramid.authentication. >> >> I have a Pyramid based service authenticating users against LDAP in >> order to grant them access to a webservice. >> >> Until know the service was only for one domain valid. There is a reverse >> proxy in front and I may fetch the domain from the "X-Forwarded-For" >> header. >> >> But since domain is set usually on service startup/configuration time I >> hard coded the domain name in the ini-file and set it like so:: >> >> authn_policy = AuthTktAuthenticationPolicy( >> secret=settings.get('auth.secret'), >> cookie_name=settings.get('auth.cookie_name'), >> hashalg=settings.get('auth.hashalg'), >> callback=groupfinder, >> domain=settings.get('auth.cookie.domain'), >> ) >> config.set_authentication_policy(authn_policy) >> >> >> From now on I need to have the domain dynamic based on the header >> mentioned above (cookie has to be valid mutually exclusive for: 'foo.de' >> or 'bar.de'). >> >> Looking at pyramid.authentication and AuthTKTHelper I did not find an >> easy way to plug in a callable or something dynamic to get the domain >> for the cookie. >> >> What I did - and what works fine - is to patch the domain attribute on >> AuthTKTHelper like so:: >> >> def _domain_getter(self): >> req = get_current_request() >> return req.headers.get('X-Forwarded-Server', 'localhost') >> >> >> def _domain_setter(self, value): >> pass >> >> >> _domain_patch = property(fget=_domain_getter, fset=_domain_setter) >> >> # patch pyramid.authentication.AuthTktCookieHelper >> AuthTktCookieHelper.domain = _domain_patch >> >> >> But in my opinion this is far from elegant or pluggable. Did I miss >> something? Is there a better method to achieve the same goal? >> >> regards Jens >> -- >> Klein & Partner KG, member of BlueDynamics Alliance >> >> -- >> You received this message because you are subscribed to the Google Groups >> "pylons-discuss" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at https://groups.google.com/group/pylons-discuss. >> For more options, visit https://groups.google.com/d/optout. > -- Klein & Partner KG, member of BlueDynamics Alliance -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
