Ian Bicking: the old part of his blog

Apache the Application Server

At work I've been developing a static publishing CMS. This has worked well, but it's made me think differently about application development. Previously I'd deal with any issues inside the specific programming environment I was using, separate from Apache. These environments (Webware, Zope, PHP) are controllable and relatively well partitioned, and I generally have a lot of control. But these environments don't interact that well when they come together to make one site. One piece is in Zope, another as a Perl CGI script, another as PHP, and now the addition of static content from the CMS.

One solution is a homogeneous environment, e.g., use Zope for absolutely everything. But that's really not realistic, there's a lot of useful tools that aren't in Zope (or PHP, or Perl, or...) and converting every application isn't worth it. The one thing they all have in common is Apache, and I'm hoping to use that.

The first thing I've been experimenting with is authentication. Apache doesn't do authentication very well. It mostly expects HTTP authentication. HTTP authentication sucks. A lot. You can't provide any UI -- the login popup can't have messages or links, and expecting the user to cancel and then notice links on the error page is optimistic. There's no logout. A page either has to require login, or else no login is allowed -- you can't get user information unless you reject anonymous users. You can't do cross-site logins, even if you try really really hard (it's not easy with cookies, but at least it's possible). HTTP authentication just sucks. And since it is orthogonal to everything else, there's absolutely no way to fix it, it's all up to the browsers and the browsers aren't even bothering to try.

My first experiment has been to use mod_python to allow cookie authentication. Mostly this has meant trying lots of things that don't work in order to find one that does. I'll write more about that later, but in the end I was able to get it to work. Rather than centralizing authentication, I think it will be easier to simply use a signed cookie to indicate that authentication has occurred. This way Apache doesn't have to know about every authentication backend I might want to use.

The second feature I'm looking forward to is Apache 2's filters. Particularly for templating, probably using mod_include (server-side includes). Any resource (static files, CGI scripts, etc.) can output SSI tags and they will be interpreted. This should make a site look much easier to implement, and will remove one of the biggest barriers to a heterogeneous site. It also makes it possible to compose a page from heterogeneous sources, as SSIs can in turn include any local URL.

Created 12 Aug '04
Modified 14 Dec '04


Hi, Ian!

I built a CMS using mod_python a couple of years ago. It's currently hosting two sites: phoenixchildrenshospital.com and turntableband.com.

I ended up taking the lazy road and using Basic Auth, but I have pretty much the same opinion as you. It sucks. It's horribly limited, and implementing "logout" is arguably impossible (Zope seems to pull it off, sorta, kinda).

So, you've got some setup to do before mod_python is ready for a CMS, mainly session managemet, authentication, templating, and database interfaces, but once you get past that, mod_python is a total joy to program in. So simple! It does exactly what it's supposed to do; no more, no less.

I especially love the "publisher" module, since it lets me completely close the gap between URLs and function calls.

I haven't tried Webware, but I've heard great things about it. I was initially very impressed with Zope, but my main beef with it is that it tries to appease content editors and programmers through the same interface, and as a result, feels very crippled. Am I supposed to write my code in Zope, or on the file system? If I write inside of Zope, I have to expose system functionality through external methods or products, and it's so constrained and filtered that I barely feel like I'm using Python anymore. mod_python let me just write Python, with the added convenience that I can make a page just as easily as I can make a function.

Good luck with your project.
# Dave Benjamin

We are working on static publishing CMS too, and it's successfully used for many projects, here is a short list of them I've participated in. Are you interested in expiriense exchange?
# Denis S. Otkidach