[Moin-user] Removal of ability to use GivenAuth, formerly HTTPAuth, via passed Authorization header

Thomas Waldmann tw-public at gmx.de
Tue Nov 3 03:55:24 EST 2009

Hi Max,

> I have just discovered that Moin 1.9 drops the ability to pass an
> authenticated identity to the Moin standalone server using an HTTP Basic
> auth Authorization header.

The mixed stuff that used to be in HTTPAuth in 1.8 was separated into 2

GivenAuth (web server does auth somehow [can be via http basic auth, but
also could be something completely different] and gives it to moin (e.g.
via REMOTE_USER env var).

HTTPAuthMoin (moin evaluates Authorization header of http basic auth and
creates authenticated user from that, or requests auth if that doesn't

> An example whole-system scenario where this is useful is a front-end
> Apache performing HTTP Basic auth, and proxying the resultant request to
> a standalone-server Moin running bound to the localhost IP address only.

Ah, interesting. That is a scenario where the GivenAuth class does not
work because the environment variable is not there. Thus you need
HTTPAuthMoin, maybe with a small modification.

> Please could this feature be reinstated?

Please try if MoinMoin.auth.http.HTTPAuthMoin works for you (as is).

If it doesn't, please try this modification of MoinMoin/auth/http.py:

Original line:
u = user.User(..., name=...)

Modified line:
u = user.User(..., auth_username=...)

That might be needed for your usecase because your moin profiles do not
have the http basic auth password.

Please let me know about your results.



More information about the Moin-user mailing list