A Host header is required by HTTP 1.1 and everything in pyramid (and most WSGI apps) is built to be relative to this header. You will need to come up with a solution to set this header such as setting it yourself in middleware or a tween. Anything really. But this is out of scope for us to fix in the AuthTktAuthenticationPolicy.
On Sat, Feb 20, 2016 at 3:34 AM, Jens W. Klein <[email protected]> wrote: > On 2016-02-19 19:32, Bert JW Regeer wrote: > > AuthTktAuthenticationPolicy by default pulls the domain out of the the > WSGI environment using WebOb. If you leave the domain setting blank, it > should do the right thing, so long as your WSGI server correctly sets up > the HTTP_HOST environment variable. > > Thanks for the hint, unfortunately the header this company reverse proxy > sets is different and there is no HTTP_HOST set. And since its a bigger > company its outside of projects scope to change this *shrug*. > > Making the header used configurable would help... > > best Jens > > > > Bert > > > >> On Feb 19, 2016, at 07:18, Jens W. Klein <[email protected]> wrote: > >> > >> I fear did get all the details of authtkt in pyramid.authentication. > >> > >> I have a Pyramid based service authenticating users against LDAP in > >> order to grant them access to a webservice. > >> > >> Until know the service was only for one domain valid. There is a reverse > >> proxy in front and I may fetch the domain from the "X-Forwarded-For" > >> header. > >> > >> But since domain is set usually on service startup/configuration time I > >> hard coded the domain name in the ini-file and set it like so:: > >> > >> authn_policy = AuthTktAuthenticationPolicy( > >> secret=settings.get('auth.secret'), > >> cookie_name=settings.get('auth.cookie_name'), > >> hashalg=settings.get('auth.hashalg'), > >> callback=groupfinder, > >> domain=settings.get('auth.cookie.domain'), > >> ) > >> config.set_authentication_policy(authn_policy) > >> > >> > >> From now on I need to have the domain dynamic based on the header > >> mentioned above (cookie has to be valid mutually exclusive for: 'foo.de > ' > >> or 'bar.de'). > >> > >> Looking at pyramid.authentication and AuthTKTHelper I did not find an > >> easy way to plug in a callable or something dynamic to get the domain > >> for the cookie. > >> > >> What I did - and what works fine - is to patch the domain attribute on > >> AuthTKTHelper like so:: > >> > >> def _domain_getter(self): > >> req = get_current_request() > >> return req.headers.get('X-Forwarded-Server', 'localhost') > >> > >> > >> def _domain_setter(self, value): > >> pass > >> > >> > >> _domain_patch = property(fget=_domain_getter, fset=_domain_setter) > >> > >> # patch pyramid.authentication.AuthTktCookieHelper > >> AuthTktCookieHelper.domain = _domain_patch > >> > >> > >> But in my opinion this is far from elegant or pluggable. Did I miss > >> something? Is there a better method to achieve the same goal? > >> > >> regards Jens > >> -- > >> Klein & Partner KG, member of BlueDynamics Alliance > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups "pylons-discuss" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > >> To post to this group, send email to [email protected]. > >> Visit this group at https://groups.google.com/group/pylons-discuss. > >> For more options, visit https://groups.google.com/d/optout. > > > > > -- > Klein & Partner KG, member of BlueDynamics Alliance > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/pylons-discuss. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
