Index: django/contrib/auth/backends.py =================================================================== --- django/contrib/auth/backends.py (Revision 7438) +++ django/contrib/auth/backends.py (Arbeitskopie) @@ -68,3 +68,49 @@ return User.objects.get(pk=user_id) except User.DoesNotExist: return None + +class RemoteUserAuthBackend: + + def authenticate(self, username, password=None): + """ + Authenticate user - RemoteUserAuth middleware passes REMOTE_USER + as username. + """ + if password is not None: + return None + user = None + if username: + username = self.parse_user(username) + try: + user = User.objects.get(username=username) + except User.DoesNotExist: + user = self.unknown_user(username) + user = self.configure_user(user) + return user + + def parse_user(self, username): + """ Parse the provided username. + Override this method if you need to do special things with the + username, like stripping @realm or cleaning something like + cn=x,dc=sas,etc. + """ + return username + + def get_user(self, user_id): + try: + return User.objects.get(pk=user_id) + except User.DoesNotExist: + return None + + def unknown_user(self, username): + # Auto-create user + user = User.objects.create_user(username, '') + user.is_staff = False + user.save() + return user + + def configure_user(self, user): + """ Configure a user after login. + i.e: to read group membership from LDAP and so on. + """ + return user Index: django/contrib/auth/middleware.py =================================================================== --- django/contrib/auth/middleware.py (Revision 7438) +++ django/contrib/auth/middleware.py (Arbeitskopie) @@ -10,3 +10,21 @@ assert hasattr(request, 'session'), "The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'." request.__class__.user = LazyUser() return None + +class RemoteUserAuthMiddleware(object): + def process_request(self, request): + from django.contrib.auth import authenticate, login + # AuthenticationMiddleware is required to create request.user + error = """The Django RemoteUserAuth middleware requires authentication middleware to be installed. Edit your MIDDLEWARE_CLASSES +setting to insert 'django.contrib.auth.middleware.AuthenticationMiddleware' *before* the RemoteUserMiddleware class.""" + assert hasattr(request, 'user'), error + if request.user.is_anonymous(): + user = None + try: + user = authenticate(username=request.META['REMOTE_USER']) + except KeyError: + pass # No remote user available + if user is not None: + request.user = user # set request.user to the authenticated user + login(request, user) # auto-login the user to Django + return None Index: django/contrib/auth/tests.py =================================================================== --- django/contrib/auth/tests.py (Revision 7438) +++ django/contrib/auth/tests.py (Arbeitskopie) @@ -35,4 +35,42 @@ [] >>> a.user_permissions.all() [] -""" \ Kein Zeilenvorschub am Ende der Datei +""" + +import os +import unittest +from doctest import DocTestSuite +from django.contrib.auth.models import User +from django.contrib.auth.backends import RemoteUserAuthBackend +from django.test.client import Client +from django.conf import settings + +class HttpAuthTest(unittest.TestCase): + def setUp(self): + self.extra_headers = {'REMOTE_USER': 'iamnotanuser'} + self.curr_middleware = settings.MIDDLEWARE_CLASSES + self.curr_auth = settings.AUTHENTICATION_BACKENDS + + settings.MIDDLEWARE_CLASSES +=\ + ('django.contrib.auth.middleware.RemoteUserAuthMiddleware', ) + settings.AUTHENTICATION_BACKENDS =\ + ('django.contrib.auth.backends.RemoteUserAuthBackend',) + + def testRemoteUserIsRespected(self): + c = Client() + extra_headers = {'REMOTE_USER': 'iamnotanuser'} + res = c.get('/', {}, **self.extra_headers) + + u = User.objects.get(username='iamnotanuser') + # wow, the user was created! this works. + + def tearDown(self): + # Restore settings to avoid breaking other tests. + settings.MIDDLEWARE_CLASSES = self.curr_middleware + settings.AUTHENTICATION_BACKENDS = self.curr_auth + + +def suite(): + doctest_suite = DocTestSuite() + http_auth_suite = unittest.TestLoader().loadTestsFromTestCase(HttpAuthTest) + return unittest.TestSuite([doctest_suite, http_auth_suite]) Index: docs/auth_remote_user.txt =================================================================== --- docs/auth_remote_user.txt (Revision 0) +++ docs/auth_remote_user.txt (Revision 0) @@ -0,0 +1,52 @@ +====================================================== +Authenticating against REMOTE_USER from the Web Server +====================================================== + +Typically on intranet sites users are already authenticated (i.e. in a Windows +domain) by the web server (i.e. using IIS Integrated Authentication). + +When the web server takes care of authentication it sets the ``REMOTE_USER`` HTTP +header for use in the underlying application (i.e. Django). Then it's up to +this application take care of the authorization. + +Django brings all you need to make use of the ``REMOTE_USER`` header bringing you +one step further to single sign-on on enterprise infrastucure! + +We assume that you have already configured your web server to authenticate +users, maybe with mod_auth_sspi in Apache, Integrated Authentication in IIS +and so on. + +Configuring Django +================== + +First of all, you must add the ``RemoteUserAuthMiddleware`` just **after** +(never before) ``AuthenticationMiddleware``. + +If you want more control, you can inherited from ``RemoteUserAuthBackend`` and +override a few methods: + + * ``parse_user``: Should cleanup ``REMOTE_USER`` (i.e. strip @realm from + it). It takes the ``username`` as argument, and must return the cleaned + ``username``. + * ``unkown_user``: Should create and return a ``User`` object, will be + called when a ``User`` object does not exist for ``REMOTE_USER``. Takes + ``username`` as it's only argument. + * ``configure_user``: Will be called after ``unkown_user`` so you can + configure the recently created ``User`` object (in case you did not want + to override ``unkown_user``. Takes the ``User`` instance as an argument. + Should also return the ``User`` instance that represents the User. + + +Examples: + + settings.py:: + + MIDDLEWARE_CLASSES = ( + 'django.contrib.auth.middleware.AuthenticationMiddleware', + 'django.contrib.auth.middleware.RemoteUserAuthMiddleware', + ... + ) + + AUTHENTICATION_BACKENDS = ( + 'django.contrib.auth.backends.RemoteUserAuthBackend', + ) Index: docs/authentication.txt =================================================================== --- docs/authentication.txt (Revision 7438) +++ docs/authentication.txt (Arbeitskopie) @@ -1020,6 +1020,15 @@ database-based scheme, or you can use the default system in tandem with other systems. +.. admonition:: Handling authentication at the web server + + There's a very specific situation/scenario in which you want to handle + authentication at the web server's level (i.e. standard HTTP AUTH) and want + Django to honour this authentication. This is covered in a separate page: + `Authenticating against REMOTE_USER from the Web Server`_ + +.. _Authenticating against REMOTE_USER from the Web Server: ../auth_remote_user/ + Specifying authentication backends ----------------------------------