diff --git a/django/contrib/auth/backends.py b/django/contrib/auth/backends.py index bba883b..b07031d 100644 --- a/django/contrib/auth/backends.py +++ b/django/contrib/auth/backends.py @@ -78,3 +78,52 @@ class ModelBackend(object): return User.objects.get(pk=user_id) except User.DoesNotExist: return None + +class RemoteUserAuthBackend: + + def authenticate(self, username, password=None): + """ + Authenticate user - RemoteUserAuth middleware passes REMOTE_USER + as username. + """ + if password is not None: + return None + user = None + if username: + username = self.parse_user(username) + try: + user = User.objects.get(username=username) + except User.DoesNotExist: + user = self.unknown_user(username) + user = self.configure_user(user) + return user + + def parse_user(self, username): + """ Parse the provided username. + Override this method if you need to do special things with the + username, like stripping @realm or cleaning something like + cn=x,dc=sas,etc. + """ + return username + + def get_user(self, user_id): + try: + return User.objects.get(pk=user_id) + except User.DoesNotExist: + return None + + def unknown_user(self, username): + """Auto-create user. Called only if User object doesn't already exist + for username. + """ + user = User.objects.create_user(username, '') + user.is_staff = False + user.save() + return user + + def configure_user(self, user): + """ Configure a user after login. + i.e: to read group membership from LDAP and so on. + Called only if user User object has just been created." + """ + return user diff --git a/django/contrib/auth/middleware.py b/django/contrib/auth/middleware.py index 42dc15a..7deb0fe 100644 --- a/django/contrib/auth/middleware.py +++ b/django/contrib/auth/middleware.py @@ -10,3 +10,22 @@ class AuthenticationMiddleware(object): assert hasattr(request, 'session'), "The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'." request.__class__.user = LazyUser() return None + +class RemoteUserAuthMiddleware(object): + def process_request(self, request): + from django.contrib.auth import authenticate, login + # AuthenticationMiddleware is required to create request.user + error = """The Django RemoteUserAuth middleware requires authentication middleware to be installed. Edit your MIDDLEWARE_CLASSES +setting to insert 'django.contrib.auth.middleware.AuthenticationMiddleware' *before* the RemoteUserMiddleware class.""" + assert hasattr(request, 'user'), error + if request.user.is_anonymous(): + user = None + try: + user = authenticate(username=request.META['REMOTE_USER']) + except KeyError: + pass # No remote user available + if user is not None: + request.user = user # set request.user to the authenticated user + login(request, user) # auto-login the user to Django + return None + diff --git a/django/contrib/auth/tests/__init__.py b/django/contrib/auth/tests/__init__.py index 23cfbaf..b40a9c2 100644 --- a/django/contrib/auth/tests/__init__.py +++ b/django/contrib/auth/tests/__init__.py @@ -1,4 +1,4 @@ -from django.contrib.auth.tests.basic import BASIC_TESTS +from django.contrib.auth.tests.basic import BASIC_TESTS, HttpAuthTest from django.contrib.auth.tests.views import PasswordResetTest, ChangePasswordTest from django.contrib.auth.tests.forms import FORM_TESTS from django.contrib.auth.tests.tokens import TOKEN_GENERATOR_TESTS @@ -11,4 +11,5 @@ __test__ = { 'FORM_TESTS': FORM_TESTS, 'TOKEN_GENERATOR_TESTS': TOKEN_GENERATOR_TESTS, 'CHANGEPASSWORD_TESTS': ChangePasswordTest, + 'HTTPAUTH_TESTS': HttpAuthTest, } diff --git a/django/contrib/auth/tests/basic.py b/django/contrib/auth/tests/basic.py index 2071710..be2b8ca 100644 --- a/django/contrib/auth/tests/basic.py +++ b/django/contrib/auth/tests/basic.py @@ -54,3 +54,30 @@ u'joe@somewhere.org' >>> u.password u'!' """ + +from django.test import TestCase +from django.contrib.auth.models import User +from django.conf import settings + +class HttpAuthTest(TestCase): + def setUp(self): + self.curr_middleware = settings.MIDDLEWARE_CLASSES + self.curr_auth = settings.AUTHENTICATION_BACKENDS + + settings.MIDDLEWARE_CLASSES +=\ + ('django.contrib.auth.middleware.RemoteUserAuthMiddleware', ) + settings.AUTHENTICATION_BACKENDS =\ + ('django.contrib.auth.backends.RemoteUserAuthBackend',) + + def test_remote_user(self): + "REMOTE_USER variable set by Web server is respected" + extra_headers = {'REMOTE_USER': 'iamnotanuser'} + response = self.client.get('/', **extra_headers) + + u = User.objects.get(username='iamnotanuser') + # if no exception ws raises above it means this works. + + def tearDown(self): + # Restore settings to avoid breaking other tests. + settings.MIDDLEWARE_CLASSES = self.curr_middleware + settings.AUTHENTICATION_BACKENDS = self.curr_auth diff --git a/docs/topics/auth-remote-user.txt b/docs/topics/auth-remote-user.txt new file mode 100644 index 0000000..2e060ec --- /dev/null +++ b/docs/topics/auth-remote-user.txt @@ -0,0 +1,73 @@ +.. _topics-auth-remote-user: + +====================================================== +Authenticating against REMOTE_USER from the Web Server +====================================================== + +Typically on intranet sites users are already authenticated by the web server +(e.g. a Windows domain using IIS Integrated Authentication, or an environment +using solutions like Apache `mod_authnz_ldap`_, `CAS`_, `Cosign`_, `WebAuth`_, +etc.) + +.. _mod_authnz_ldap: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html +.. _CAS: http://www.ja-sig.org/products/cas/ +.. _Cosign: http://weblogin.org +.. _WebAuth: http://www.stanford.edu/services/webauth/ + +When the web server takes care of authentication it sets the ``REMOTE_USER`` +header for use in the underlying application. Then it's up to this +application to take care of the authorization. + +Django can be configured to make use of the ``REMOTE_USER`` header making it +possible to integrate your Django applications with a pre-existing single +sign-on enterprise infrastructure. + +We assume that you have already configured your web server to authenticate +users (i.e. by using ``mod_auth_sspi`` in Apache, Integrated Authentication in +IIS or one of the solutions listed above). + +Configuring Django +================== + +First of all, you must add the ``RemoteUserAuthMiddleware`` to the +``MIDDLEWARE_CLASSES`` setting just **after** (never before) +``AuthenticationMiddleware``. + +With this setup, ``RemoteUserAuthMiddleware`` will detect the ``REMOTE_USER`` +variable in the requests and will auto-login the user by using the username +contained in such variable. The user must already exist in the authentication +backend being used by Django. + +Additionally, if you want the non-existent users to be automatically added +to the store of the authentication backend being used by Django , include the +``RemoteUserAuthBackend`` in the ``AUTHENTICATION_BACKENDS`` setting. + +If you want even more control, you can create your own authentication backend +that inherits from ``RemoteUserAuthBackend``, override a few methods: + + * ``parse_user``: Should cleanup ``REMOTE_USER`` (i.e. strip @realm from + it). It takes the ``username`` as argument, and must return the cleaned + ``username``. + * ``unkown_user``: Will be called when no ``User`` object exist for + ``REMOTE_USER``. Takes ``username`` as it's only argument. Should create + and return an ``User`` object. + * ``configure_user``: Will be called after ``unknown_user`` only when a new + ``User`` object has been created so you can configure it. Takes the + newly created ``User`` instance as it's only argument. Should also return + the ``User`` instance that represents the user. + +and use it in the ``AUTHENTICATION_BACKENDS`` setting. + +Examples: + + settings.py:: + + MIDDLEWARE_CLASSES = ( + 'django.contrib.auth.middleware.AuthenticationMiddleware', + 'django.contrib.auth.middleware.RemoteUserAuthMiddleware', + ... + ) + + AUTHENTICATION_BACKENDS = ( + 'django.contrib.auth.backends.RemoteUserAuthBackend', + ) diff --git a/docs/topics/auth.txt b/docs/topics/auth.txt index 6de6a3b..4717b3d 100644 --- a/docs/topics/auth.txt +++ b/docs/topics/auth.txt @@ -1224,6 +1224,17 @@ plug in another authentication sources. You can override Django's default database-based scheme, or you can use the default system in tandem with other systems. +.. versionadded:: 1.1 + Handling authentication at the web server was added in Django 1.1 + +Handling authentication at the web server +----------------------------------------- + +There's a very specific situation/scenario in which you want to handle +authentication at the web server's level (i.e. standard HTTP AUTH) and want +Django to honour this authentication. This is covered in +:ref:`Authenticating against REMOTE_USER` + Specifying authentication backends ---------------------------------- @@ -1360,3 +1371,4 @@ A full authorization implementation can be found in the ``auth_permission`` table most of the time. .. _django/contrib/auth/backends.py: http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/backends.py + diff --git a/docs/topics/index.txt b/docs/topics/index.txt index 5d83980..710cfc0 100644 --- a/docs/topics/index.txt +++ b/docs/topics/index.txt @@ -17,6 +17,7 @@ Introductions to all the key parts of Django you'll need to know: files testing auth + auth-remote-user cache email i18n