If Apache is used to perform authentication, the Authorization header still gets
passed through to mod_python.publisher. Unfortunately, mod_python.publisher
authentication code in process_auth() will attempt to decode the contents of the
Authorization header even if there are no _auth_ or _access_ hooks defined
for authentication and access control within the published code itself.
The consequence of this is that if Digest authentication is used for AuthType
at level of Apache authentication, the process_auth() code will raise a bad request
error as it assumes Authorization header is always in format for Basic authentication
type and when it can't decode it, it raises an error.
What should happen is that any decoding of Authorization should only be done
if there is a _auth_ or _access_ hook that actually requires it. That way, if some
one uses Digest authentication at Apache configuration file level, provided that no
_auth_ or _access_ hooks are provided, there wouldn't be a problem.
for additional information.