Allow pre-auth through REMOTE_USER header

Pre-auth looks at the REMOTE_USER header and if it is set, Scriptform
performs no validation of the password and just assumes the username is
correct. This allows pre-authentication from a front-end such as Apache
for HTAUTH, LDAP, OpenID / SSO, etc.
pull/7/head
Ferry Boender 8 years ago
parent cb3abe7213
commit c00d308fef
  1. 7
      README.md
  2. 25
      doc/MANUAL.md
  3. 12
      src/webapp.py

@ -218,15 +218,16 @@ them in the local directory.
To run ScriptForm in the foreground, specify the `-f` option.
If you're going to use basic authentication, you can generate a password for
your user with the `--generate-pw` option:
If you're going to use built-in basic authentication, you can generate a
password for your user with the `--generate-pw` option:
$ scriptform --generate-pw
Password:
Repeat password:
2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
You can paste the generated password into the password field. For more
You can paste the generated password into the password field. You can also use
an Apache (or other webserver) frontend for authentication. For more
information, see the User Manual.
## Documentation

@ -51,6 +51,7 @@ This is the manual for version %%VERSION%%.
- [Passwords](#users_passwords)
- [Form limiting](#users_formlimit)
- [Security considerations](#users_security)
- [Pre-authentication with Apache](#users_preauth)
1. [Form customization](#cust)
- [Custom CSS](#cust_css)
1. [Security](#security)
@ -1221,7 +1222,31 @@ For an example, see the [beginning of this chapter](#users).
*does* support HTTPS, such as Apache. For more information on that, see the
"Invocations" chapter.
### <a name="users_preauth">Pre-authentication with Apache</a>
If you're running behind Apache or another webserver, you can use
features in Apache to do the authentication for you. This allows you to use
LDAP or OpenID (SSO) authentication.
You must pass the `REMOTE_USER` header (not environment variable!) to
Scriptform to get this working. For example, in Apache:
RequestHeader set REMOTE_USER %{REMOTE_USER}s
Redirect permanent /scriptform /scriptform/
ProxyPass /scriptform/ http://localhost:8081/
ProxyPassReverse /scriptform/ http://localhost:8081/
<Location /scriptform>
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile "/var/www/users"
Require valid-user
</Location>
If such a header is seen, Scriptform won't perform validation of the password
and just assumes the username is correct.
## <a name="cust">Form customization</a>

@ -181,13 +181,19 @@ class ScriptFormWebApp(RequestHandler):
def auth(self):
"""
Verify that the user is authenticated. This is required if the form
definition contains a 'users' field. Returns the username if the user
is validated or None if no validation is required.. Otherwise, raises a
401 HTTP back to the client.
definition contains a 'users' field (unless pre-auth from a front-end
such as Apache is used). Returns the username if the user is validated
or None if no validation is required. Otherwise, raises a 401 HTTP
back to the client.
"""
form_config = self.scriptform.get_form_config()
username = None
# Allow pre-auth from e.g. Apache htauth
if 'REMOTE_USER' in self.headers:
username = self.headers.get('REMOTE_USER')
return self.headers.get('REMOTE_USER')
# If a 'users' element was present in the form configuration file, the
# user must be authenticated.
if form_config.users:

Loading…
Cancel
Save