Ticket #689: remote_user.diff

django/contrib/auth/backends.py

@@ -19 +19 @@
-            return User.objects.get(pk=user_id)
-        except User.DoesNotExist:
-            return None
+
+class RemoteUserAuthBackend(ModelBackend):
+    def authenticate(self, username, password=None):
+        """
+        Authenticate user - RemoteUserAuth middleware passes REMOTE_USER
+        as username. password param is not used, just added in case :)
+        """
+        user = None
+        if username:
+            try:
+                user = User.objects.get(username=username)
+            except User.DoesNotExist:
+                # Auto-create user
+                if settings.REMOTE_USER_AUTH_AUTO_CREATE:
+                    # We'll create a password, but it won't be used
+                    password = User.objects.make_random_password()
+                    user = User.objects.create_user(username, '', password)
+                    user.is_staff = False
+                    user.save()
+                    # Check if there is an after_create function set in settings
+                    # it is a string like 'path.to.module.function'
+                    try:
+                        path = settings.REMOTE_USER_AUTH_AFTER_CREATE
+                    except:
+                        # No custom after_create function
+                        return user
+                    i = path.rfind('.')
+                    module, attr = path[:i], path[i+1:]
+                    try:
+                        module = __import__(module, {}, {}, [attr])
+                    except ImportError:
+                        raise ImproperlyConfigured, 'Error importing function %s' % path
+                    try:
+                        func = getattr(module, attr)
+                        # this function is called with the new User object
+                        func(user)
+                    except:
+                        raise ImproperlyConfigured, 'Error executing function %s' % path
+        return user

django/contrib/auth/middleware.py

@@ -10 +10 @@
-        assert hasattr(request, 'session'), "The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'."
-        request.__class__.user = LazyUser()
-        return None
+
+class RemoteUserAuthMiddleware(object):
+    def process_request(self, request):
+        from django.contrib.auth import authenticate, login
+        # AuthenticationMiddleware is required to create request.user
+        error = """The Django RemoteUserAuth middleware requires authentication middleware to be installed. Edit your MIDDLEWARE_CLASSES
+setting to insert 'django.contrib.auth.middleware.AuthenticationMiddleware' *before* the RemoteUserMiddleware class."""
+        assert hasattr(request, 'user'), error
+        if request.user.is_anonymous():
+            try:
+                user = authenticate(username=request.META['REMOTE_USER'])
+            except:
+                user = None
+            if user is not None:
+                request.user = user    # set request.user to the authenticated user
+                login(request, user)   # auto-login the user to Django
+        return None

docs/auth_remote_user.txt

@@ +1 @@
+=============================
+Authenticating against REMOTE_USER from Apache
+=============================
+
+Typically on an intranet, users are already authenticated (e.g. in a Windows domain).
+It is possible to let Apache use NTLM to verify that a user is authenticated, and only 
+allow valid users to enter your website. Apache will set a REMOTE_USER variable containing
+the user's username. This can be used to inform django which user is accessing the site.
+If the user is not yet in django's userbase, she can be added automatically.
+
+Configuring Apache
+==============
+
+You will need a module that can authenticate using NTLM.
+Examples are mod_NTLM or mod_auth_sspi.
+Configure Apache to use these to authenticate the user.
+An example configuration using mod_auth_sspi looks like this:
+
+# Add the module:
+
+LoadModule sspi_auth_module modules/mod_auth_sspi.so
+
+# Configure the authentication:
+
+    <Location /example/>
+        AuthName "myIntranet"
+        AuthType SSPI
+        SSPIAuth On
+        SSPIAuthoritative On
+        SSPIDomain "myDomain"
+        SSPIOmitDomain On
+        SSPIUsernameCase "upper"
+        
+        Require valid-user
+
+        SetHandler python-program
+        PythonHandler django.core.handlers.modpython
+        SetEnv DJANGO_SETTINGS_MODULE your_settings
+        PythonPath "['d:\\\\websites'] + ['d:\\\\websites\\\\myproject'] + sys.path"
+    </Location>
+
+Configuring django
+=============
+
+In your settings file, add the RemoteUserAuthMiddleware and the RemoteUserAuthBackend like this:
+
+Add the middleware AFTER the AuthenticationMiddleware:
+
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.auth.middleware.RemoteUserAuthMiddleware',
+    
+Add the RemoteUserAuthBackend as authentication backend:
+    AUTHENTICATION_BACKENDS = (
+        'django.contrib.auth.RemoteUserAuthBackend',
+    )
+
+Set the REMOTE_USER_AUTH_AUTO_CREATE setting if you want to automatically add and authenticate 
+users that are unknown to django (but are already authenticated by Apache) :
+    
+    REMOTE_USER_AUTH_AUTO_CREATE = True
+
+You can also pass in a custom function to be executed AFTER a new user was added to the django database:
+
+    REMOTE_USER_AUTH_AFTER_CREATE = 'path.to.module.function'
+
+This function will be called with one parameter: the newly created User object.
+You could use this function to set detailed info or permissions on the users (e.g. from an LDAP source).
+
+
+
+