Skip to content
David Beitey edited this page May 10, 2016 · 1 revision

Bottle is a fast, simple and lightweight WSGI micro web-framework for Python. It is distributed as a single file module and has no dependencies other than the Python Standard Library.

All examples assume you have installed and configured Shibboleth with FastCGI support and have the authorizer and responder operating already with suitable nginx location blocks and have shib_request available as a static module or dynamic load.

Hosting with FastCGI (eg FlupGCFIServer)

With FastCGI (or other non-HTTP proxy) hosting of our application , we can avoid the need for headers and avoid the possibility of spoofing. Bear in mind this feature requires nginx-http-shibboleth 2.0 or above.

nginx.conf

location / {
    shib_request /shibauthorizer;
    shib_request_set $shib_commonname $upstream_http_variable_commonname;
    shib_request_set $shib_email $upstream_http_variable_email;
    shib_request_set $shib_remote_user $upstream_http_variable_remote_user;
    fastcgi_param COMMONNAME $shib_commonname;
    fastcgi_param EMAIL $shib_email;
    fastcgi_param REMOTE_USER $shib_remote_user;
    fastcgi_pass localhost:9999;
}

my_app.py

from bottle import route, run, request, response

@route('/')
def home():
    response.content_type = 'text/html'
    if request.environ.get('REMOTE_USER'):
        response.status = 200
        return 'Successful auth as %s <%s>' % \
            (request.environ.get('COMMONNAME'), request.environ.get('EMAIL'))
    else:
        response.status = 403
        return 'Failed auth, no REMOTE_USER provided'

Hosting with standard Bottle HTTP server

It's also possible to simply use Bottle's default HTTP server and simply authenticate based on headers. Keep in mind that you need to avoid spoofing, hence the extra nginx configuration.

nginx.conf

location / {
    shib_request /shibauthorizer;
    shib_request_use_headers on;
    more_clear_input_headers
        Shib-Application-Id
        Shib-Authentication-Instant
        Shib-Authentication-Method
        Shib-Authncontext-Class
        Shib-Identity-Provider
        Shib-Session-Id
        Shib-Session-Index
        Remote-User
        persistent-id
        Transient-Name
        Auth-Type
        commonName
        email; # plus ALL other attributes you use/receive from Shibboleth
    fastcgi_pass localhost:8080;
}

my_app.py

from bottle import route, run, request, response

@route('/')
def home():
    response.content_type = 'text/html'
    if request.headers.get('REMOTE_USER'):
        response.status = 200
        return 'Successful auth as %s <%s>' % \
            (request.headers.get('COMMONNAME'), request.headers.get('EMAIL'))
    else:
        response.status = 403
        return 'Failed auth, no REMOTE_USER provided'