trac.web.auth – Trac Authentication

This module deals with web request authentication, and provides the default implementation for the IAuthenticator interface.

Component

class trac.web.auth.LoginModule

Bases: trac.core.Component

User authentication manager.

This component implements user authentication based on HTTP authentication provided by the web-server, combined with cookies for communicating the login information across the whole site.

This mechanism expects that the web-server is setup so that a request to the path ‘/login’ requires authentication (such as Basic or Digest). The login name is then stored in the database and associated with a unique key that gets passed back to the user agent using the ‘trac_auth’ cookie. This cookie is used to identify the user in subsequent requests to non-protected resources.

Auth cookie domain attribute.

The auth cookie can be shared among multiple subdomains by setting the value to the domain. (//since 1.2//)

Lifetime of the authentication cookie, in seconds.

This value determines how long the browser will cache authentication information, and therefore, after how much inactivity a user will have to log in again. The value of 0 makes the cookie expire at the end of the browsing session.

Path for the authentication cookie. Set this to the common base path of several Trac instances if you want them to share the cookie.

check_ip

Whether the IP address of the user should be checked for authentication.

ignore_case

Whether login names should be converted to lower case.

Support Classes

A few classes are provided for directly computing the REMOTE_USER information from the HTTP headers for Basic or Digest authentication. This will be used by the AuthenticationMiddleware.

class trac.web.auth.BasicAuthentication(htpasswd, realm)

Bases: trac.web.auth.PasswordFileAuthentication

class trac.web.auth.DigestAuthentication(htdigest, realm)

Bases: trac.web.auth.PasswordFileAuthentication

A simple HTTP digest authentication implementation (RFC 2617).

load(filename)

Load account information from apache style htdigest files, only users from the specified realm are used

send_auth_request(environ, start_response, stale='false')

Send a digest challange to the browser. Record used nonces to avoid replay attacks.