6

I need to use apache basic authentication for part of my application. I would like to get the authenticated username from apache, but I cannot seem to find where to access it. I can see the username in the apache log, so I know it's there somewhere. After the user is authenticated by apache, the request is sent via proxy to a cherrypy server.

Here is the section of my apache vhost config:

<Location /ical> AuthType Basic AuthBasicProvider ldap AuthName "Example Calendar Login" AuthLDAPUrl "ldaps://ldap.example.net/ou=People,dc=example,dc=net?uid" Require valid-user ProxyPass http://localhost:8082/ ProxyPassReverse http://localhost:8082/ SetEnv proxy-nokeepalive 1 </Location>

The user authentication and proxy bit is working just fine. Once the request is authenticated and sent to cherrypy, here are the headers I have in cherrypy:

(Pdb) pp cherrypy.request.headers {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', 'Accept-Encoding': 'gzip,deflate', 'Accept-Language': 'en-us,en;q=0.5', 'Authorization': 'Basic xxxxxxxxxxx', 'Connection': 'close', 'Host': 'sub.example.net', 'If-None-Match': 'e5b0879ce68fcce5b960ce4281c8d706', 'Remote-Addr': '10.132.32.86', 'User-Agent': 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10', 'X-Forwarded-For': 'xx.xx.xx.xx, xx.xx.xx.xx', 'X-Forwarded-Host': 'sub.example.net, sub.example.net', 'X-Forwarded-Server': 'sub.example.net, sub'}

Can anyone help me access the username from apache basic auth?

Improve this question

2 Answers 2

Reset to default
7

I have added a header to pass the authenticated user based on apache.

RewriteEngine On RewriteCond %{REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [E=R_U:%1] RequestHeader set X-Remote-User %{R_U}e
Improve this answer
2
  • 1
    thanks! This actually works. mod_headers needs to be enabled for anyone getting an error when trying this. Commented Jul 10, 2018 at 8:30
  • You can and should replace RewriteRule ^(.*)$ - [E=R_U:%1] with RewriteRule ^ - [E=R_U:%1]. This ^(.*)$ means that apache will have to scan and store the entire request URI (available in $1), but you don't use it. So by replacing with ^ you are saying "do this to every request which has a "start-of-line" - which is everything - and will be way faster. ymmv Commented Dec 12, 2020 at 9:42
6

Your cherrypy application is receiving the Basic Auth information, since we see this in the headers:

'Authorization': 'Basic xxxxxxxxxxxxxxxxxxxxxx==',

You just need to:

  1. decode the Base64 string 'xxxxxxxxxxxxxxxxxxxxxx==', and
  2. extract the username from the decoded username:password string.

Since this isn't stackoverflow ;) , I won't bother giving an exact python implementation of the above, but it should get you started. The Wikipedia entry on Basic access authentication is quite informative and contains code snippets in various languages.

(Just a security note about this question: If you used a real username/password in generating the headers included in your question, be aware that you have revealed it to the world in the text of the 'Authorization' header above, since anyone who wants to can trivially decode it!)

Edit: I have 'x'-ed out the Authorization string.

Improve this answer
3
  • Ah crap. Thanks, I'll be changing my password now ;) Commented Oct 21, 2010 at 18:33
  • Good idea. I have 'x'-ed the string in my answer as well, but the horse may have already left the barn! Commented Oct 21, 2010 at 18:47
  • Thanks. In Ruby I managed to decode this way: username = Base64.decode64(@env['HTTP_AUTHORIZATION'].sub('Basic ','')).split(':')[0] Commented Jun 11, 2017 at 20:48

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.