-
Notifications
You must be signed in to change notification settings - Fork 28
Bottle
Bottle is a fast, simple and lightweight WSGI micro web-framework for Python. It is distributed as a single file module and has no dependencies other than the Python Standard Library.
All examples assume you have installed and configured Shibboleth with FastCGI support and have the authorizer and responder operating already with suitable nginx location blocks and have shib_request
available as a static module or dynamic load.
With FastCGI (or other non-HTTP proxy) hosting of our application , we can avoid the need for headers and avoid the possibility of spoofing. Bear in mind this feature requires nginx-http-shibboleth 2.0 or above.
location / {
shib_request /shibauthorizer;
shib_request_set $shib_commonname $upstream_http_variable_commonname;
shib_request_set $shib_email $upstream_http_variable_email;
shib_request_set $shib_remote_user $upstream_http_variable_remote_user;
fastcgi_param COMMONNAME $shib_commonname;
fastcgi_param EMAIL $shib_email;
fastcgi_param REMOTE_USER $shib_remote_user;
fastcgi_pass localhost:9999;
}
from bottle import route, run, request, response
@route('/')
def home():
response.content_type = 'text/html'
if request.environ.get('REMOTE_USER'):
response.status = 200
return 'Successful auth as %s <%s>' % \
(request.environ.get('COMMONNAME'), request.environ.get('EMAIL'))
else:
response.status = 403
return 'Failed auth, no REMOTE_USER provided'
It's also possible to simply use Bottle's default HTTP server and simply authenticate based on headers. Keep in mind that you need to avoid spoofing, hence the extra nginx configuration.
location / {
shib_request /shibauthorizer;
shib_request_use_headers on;
more_clear_input_headers
Shib-Application-Id
Shib-Authentication-Instant
Shib-Authentication-Method
Shib-Authncontext-Class
Shib-Identity-Provider
Shib-Session-Id
Shib-Session-Index
Remote-User
persistent-id
Transient-Name
Auth-Type
commonName
email; # plus ALL other attributes you use/receive from Shibboleth
fastcgi_pass localhost:8080;
}
from bottle import route, run, request, response
@route('/')
def home():
response.content_type = 'text/html'
if request.headers.get('REMOTE_USER'):
response.status = 200
return 'Successful auth as %s <%s>' % \
(request.headers.get('COMMONNAME'), request.headers.get('EMAIL'))
else:
response.status = 403
return 'Failed auth, no REMOTE_USER provided'