Ticket #10809: modwsgi_auth_handler.3.diff

django/contrib/auth/handlers/modwsgi.py

@@ +1 @@
+from django.contrib.auth.models import User
+from django import db
+
+def check_password(environ, username, password):
+    """
+    Authenticates against Django's auth database
+    """
+
+    db.reset_queries() 
+
+    try: 
+        # verify the user exists
+        try: 
+            user = User.objects.get(username=username, is_active=True) 
+        except User.DoesNotExist: 
+            return None
+
+        # verify the password for the given user
+        if user.check_password(password): 
+            return True
+        else: 
+            return False
+    finally: 
+        db.close_connection()
+
+def groups_for_user(environ, username): 
+    """
+    Authorizes a user based on groups
+    """
+
+    db.reset_queries() 
+
+    try:
+        try:  
+            user = User.objects.get(username=username, is_active=True)
+        except User.DoesNotExist:  
+            return []
+
+        return [group.name.encode('utf-8') for group in user.groups.all()]
+    finally:
+        db.close_connection()

docs/howto/apache-auth.txt

@@ -19 +19 @@
 .. _Subversion: http://subversion.tigris.org/
 .. _mod_dav: http://httpd.apache.org/docs/2.0/mod/mod_dav.html
 
-Configuring Apache
-==================
+Authentication with mod_wsgi
+============================
 
-To check against Django's authorization database from a Apache configuration
-file, you'll need to use mod_python's ``PythonAuthenHandler`` directive along
+Make sure that mod_wsgi is installed and activated and that you have
+followed the steps to 
+:ref:`use Django with Apache and mod_wsgi <howto-deployment-modwsgi>`.
+
+Next, edit your Apache configuration to add a path that you want
+only authenticated users to be able to view: 
+
+.. code-block:: apache
+
+    WSGIScriptAlias / /path/to/mysite/config/mysite.wsgi
+    
+    WSGIProcessGroup %{GLOBAL}
+    WSGIApplicationGroup django
+    
+    <Location "/secret">
+        AuthType Basic
+        AuthName "Top Secret"
+        Require valid-user
+        AuthBasicProvider wsgi
+        WSGIAuthUserScript /path/to/mysite/config/mysite.wsgi
+    </Location>
+
+The ``WSGIAuthUserScript`` directive tells mod_wsgi to execute the 
+``check_password`` function in that script passing the user name and
+password that it receives from the prompt. In this example,
+the ``WSGIAuthUserScript`` is the same as the ``WSGIScriptAlias`` that
+defines your application. 
+
+.. admonition:: Using Apache 2.2 with authentication
+
+    Make sure that ``mod_auth_basic`` and ``mod_authz_user`` are loaded.
+
+    These might be compiled statically into Apache, or you might need to use 
+    LoadModule to load them dynamically in your ``httpd.conf``:
+
+    .. code-block:: apache
+        
+        LoadModule auth_basic_module modules/mod_auth_basic.so
+        LoadModule authz_user_module modules/mod_authz_user.so
+
+Finally, edit your WSGI auth script ``mysite.wsgi`` to tie Apache's  
+authentication to yoursite's users:
+
+.. code-block:: python
+    
+    import os
+    import sys
+    
+    os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'
+
+    from django.contrib.auth.handlers.modwsgi import check_user
+    
+    from django.core.handlers.wsgi import WSGIHandler
+    application = WSGIHandler()
+
+
+Requests beginning with ``/secret/`` will now require a user to authenticate.
+
+The mod_wsgi `access control mechanisms documentation`_ provides additional
+details and information about alternative methods of authentication.
+
+.. _access control mechanisms documentation: http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms
+
+Authorization with mod_wsgi and Django groups
+---------------------------------------------
+
+In addition, mod_wsgi also provides functionality to restrict a particular 
+location to members of a group.
+
+In this case, the Apache configuration should look like this:
+
+.. code-block:: apache
+
+    WSGIScriptAlias / /path/to/mysite/config/mysite.wsgi
+    
+    WSGIProcessGroup %{GLOBAL}
+    WSGIApplicationGroup django
+    
+    <Location "/secret">
+        AuthType Basic
+        AuthName "Top Secret"
+        AuthBasicProvider wsgi
+        WSGIAuthUserScript /path/to/mysite/config/mysite.wsgi
+        WSGIAuthGroupScript /path/to/mysite/config/mysite.wsgi
+        Require group secret-agents
+        Require valid-user
+    </Location>
+    
+Because of the ``WSGIAuthGroupScript`` directive, the same WSGI auth script 
+``mysite.wsgi`` must also import the method ``groups_for_user`` which
+returns a list of the user's groups.
+
+.. code-block:: python
+    
+    from django.contrib.auth.handlers.modwsgi import check_user, groups_for_user
+    
+Requests for ``/secret/`` will now also require a user to a member of the
+"secret-agents" group.
+
+Authentication with mod_python
+==============================
+
+To check against Django's authorization database from mod_python, 
+you'll need to use mod_python's ``PythonAuthenHandler`` directive along
 with the standard ``Auth*`` and ``Require`` directives:
 
 .. code-block:: apache
@@ -84 +186 @@
             PythonAuthenHandler django.contrib.auth.handlers.modpython
         </Location>
 
-By default, the authentication handler will limit access to the ``/example/``
-location to users marked as staff members.  You can use a set of
+By default, the mod_python authentication handler will limit access to the 
+``/example/`` location to users marked as staff members.  You can use a set of
 ``PythonOption`` directives to modify this behavior:
 
     ================================  =========================================