Ticket #10809: modwsgi_auth_handler.3.diff

File modwsgi_auth_handler.3.diff, 5.9 KB (added by David Fischer, 12 years ago)

Contains the necessary methods to authenticate and authorize

  • django/contrib/auth/handlers/modwsgi.py

     
     1from django.contrib.auth.models import User
     2from django import db
     3
     4def check_password(environ, username, password):
     5    """
     6    Authenticates against Django's auth database
     7    """
     8
     9    db.reset_queries()
     10
     11    try:
     12        # verify the user exists
     13        try:
     14            user = User.objects.get(username=username, is_active=True)
     15        except User.DoesNotExist:
     16            return None
     17
     18        # verify the password for the given user
     19        if user.check_password(password):
     20            return True
     21        else:
     22            return False
     23    finally:
     24        db.close_connection()
     25
     26def groups_for_user(environ, username):
     27    """
     28    Authorizes a user based on groups
     29    """
     30
     31    db.reset_queries()
     32
     33    try:
     34        try: 
     35            user = User.objects.get(username=username, is_active=True)
     36        except User.DoesNotExist: 
     37            return []
     38
     39        return [group.name.encode('utf-8') for group in user.groups.all()]
     40    finally:
     41        db.close_connection()
  • docs/howto/apache-auth.txt

     
    1919.. _Subversion: http://subversion.tigris.org/
    2020.. _mod_dav: http://httpd.apache.org/docs/2.0/mod/mod_dav.html
    2121
    22 Configuring Apache
    23 ==================
     22Authentication with mod_wsgi
     23============================
    2424
    25 To check against Django's authorization database from a Apache configuration
    26 file, you'll need to use mod_python's ``PythonAuthenHandler`` directive along
     25Make sure that mod_wsgi is installed and activated and that you have
     26followed the steps to
     27:ref:`use Django with Apache and mod_wsgi <howto-deployment-modwsgi>`.
     28
     29Next, edit your Apache configuration to add a path that you want
     30only authenticated users to be able to view:
     31
     32.. code-block:: apache
     33
     34    WSGIScriptAlias / /path/to/mysite/config/mysite.wsgi
     35   
     36    WSGIProcessGroup %{GLOBAL}
     37    WSGIApplicationGroup django
     38   
     39    <Location "/secret">
     40        AuthType Basic
     41        AuthName "Top Secret"
     42        Require valid-user
     43        AuthBasicProvider wsgi
     44        WSGIAuthUserScript /path/to/mysite/config/mysite.wsgi
     45    </Location>
     46
     47The ``WSGIAuthUserScript`` directive tells mod_wsgi to execute the
     48``check_password`` function in that script passing the user name and
     49password that it receives from the prompt. In this example,
     50the ``WSGIAuthUserScript`` is the same as the ``WSGIScriptAlias`` that
     51defines your application.
     52
     53.. admonition:: Using Apache 2.2 with authentication
     54
     55    Make sure that ``mod_auth_basic`` and ``mod_authz_user`` are loaded.
     56
     57    These might be compiled statically into Apache, or you might need to use
     58    LoadModule to load them dynamically in your ``httpd.conf``:
     59
     60    .. code-block:: apache
     61       
     62        LoadModule auth_basic_module modules/mod_auth_basic.so
     63        LoadModule authz_user_module modules/mod_authz_user.so
     64
     65Finally, edit your WSGI auth script ``mysite.wsgi`` to tie Apache's 
     66authentication to yoursite's users:
     67
     68.. code-block:: python
     69   
     70    import os
     71    import sys
     72   
     73    os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'
     74
     75    from django.contrib.auth.handlers.modwsgi import check_user
     76   
     77    from django.core.handlers.wsgi import WSGIHandler
     78    application = WSGIHandler()
     79
     80
     81Requests beginning with ``/secret/`` will now require a user to authenticate.
     82
     83The mod_wsgi `access control mechanisms documentation`_ provides additional
     84details and information about alternative methods of authentication.
     85
     86.. _access control mechanisms documentation: http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms
     87
     88Authorization with mod_wsgi and Django groups
     89---------------------------------------------
     90
     91In addition, mod_wsgi also provides functionality to restrict a particular
     92location to members of a group.
     93
     94In this case, the Apache configuration should look like this:
     95
     96.. code-block:: apache
     97
     98    WSGIScriptAlias / /path/to/mysite/config/mysite.wsgi
     99   
     100    WSGIProcessGroup %{GLOBAL}
     101    WSGIApplicationGroup django
     102   
     103    <Location "/secret">
     104        AuthType Basic
     105        AuthName "Top Secret"
     106        AuthBasicProvider wsgi
     107        WSGIAuthUserScript /path/to/mysite/config/mysite.wsgi
     108        WSGIAuthGroupScript /path/to/mysite/config/mysite.wsgi
     109        Require group secret-agents
     110        Require valid-user
     111    </Location>
     112   
     113Because of the ``WSGIAuthGroupScript`` directive, the same WSGI auth script
     114``mysite.wsgi`` must also import the method ``groups_for_user`` which
     115returns a list of the user's groups.
     116
     117.. code-block:: python
     118   
     119    from django.contrib.auth.handlers.modwsgi import check_user, groups_for_user
     120   
     121Requests for ``/secret/`` will now also require a user to a member of the
     122"secret-agents" group.
     123
     124Authentication with mod_python
     125==============================
     126
     127To check against Django's authorization database from mod_python,
     128you'll need to use mod_python's ``PythonAuthenHandler`` directive along
    27129with the standard ``Auth*`` and ``Require`` directives:
    28130
    29131.. code-block:: apache
     
    84186            PythonAuthenHandler django.contrib.auth.handlers.modpython
    85187        </Location>
    86188
    87 By default, the authentication handler will limit access to the ``/example/``
    88 location to users marked as staff members.  You can use a set of
     189By default, the mod_python authentication handler will limit access to the
     190``/example/`` location to users marked as staff members.  You can use a set of
    89191``PythonOption`` directives to modify this behavior:
    90192
    91193    ================================  =========================================
Back to Top