Comments on: Django authentication and mod_wsgi http://www.davidfischer.name/2009/10/django-authentication-and-mod_wsgi/ Some Things to Some People Thu, 02 Sep 2010 05:29:07 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: David http://www.davidfischer.name/2009/10/django-authentication-and-mod_wsgi/comment-page-1/#comment-212 David Wed, 26 May 2010 14:55:12 +0000 http://www.davidfischer.name/?p=270#comment-212 Alessandro is correct. Without a middleware or something else, RPC4Django will not support some authenticated methods out of the box while others can be used by unauthenticated users. It's currently all or nothing. There is currently a blueprint regarding adding a sort of <a href="https://blueprints.launchpad.net/rpc4django/+spec/handle-authentication" rel="nofollow">out of the box authentication</a> which would solve this but I have not had time to work on it. I also want to talk about security in the next release. HTTP basic authentication really should not be used without SSL/TLS for maximum security. The new out of the box authentication will not solve the security issue. Unless you don't care about packet sniffing, passwords should be encrypted. Alessandro is correct. Without a middleware or something else, RPC4Django will not support some authenticated methods out of the box while others can be used by unauthenticated users. It’s currently all or nothing.

There is currently a blueprint regarding adding a sort of out of the box authentication which would solve this but I have not had time to work on it.

I also want to talk about security in the next release. HTTP basic authentication really should not be used without SSL/TLS for maximum security. The new out of the box authentication will not solve the security issue. Unless you don’t care about packet sniffing, passwords should be encrypted.

]]> By: Alessandro http://www.davidfischer.name/2009/10/django-authentication-and-mod_wsgi/comment-page-1/#comment-211 Alessandro Mon, 24 May 2010 10:44:23 +0000 http://www.davidfischer.name/?p=270#comment-211 Hi, the suggested method is not compatible with having both open and restricted methods, I solved the problem with a tiny middleware and with the following directive in the virtual server conf: <code>WSGIPassAuthorization On</code> The middleware : <pre><code class="python"> class HttpAuthMiddleware: """ Simple HTTP-Basic auth for testing webservices """ def process_request(self, request): auth_basic = request.META.get('HTTP_AUTHORIZATION') if auth_basic: import base64 try: username , dummy, password = base64.decodestring(auth_basic[6:]).partition(':') user = User.objects.get(username=username) if user.check_password(password): request.user = user except User.DoesNotExist: pass return None </code></pre> <strong>Edit:</strong> Changes to formatting made by David. Hi,

the suggested method is not compatible with having both open and restricted methods, I solved the problem with a tiny middleware and with the following directive in the virtual server conf:

WSGIPassAuthorization On

The middleware :


class HttpAuthMiddleware:
    """
    Simple HTTP-Basic auth for testing webservices
    """
    def process_request(self, request):
        auth_basic = request.META.get('HTTP_AUTHORIZATION')
        if auth_basic:
            import base64
            try:
                username , dummy,  password = base64.decodestring(auth_basic[6:]).partition(':')
                user = User.objects.get(username=username)
                if user.check_password(password):
                   request.user = user
            except User.DoesNotExist:
                pass
        return None

Edit: Changes to formatting made by David.

]]> By: David http://www.davidfischer.name/2009/10/django-authentication-and-mod_wsgi/comment-page-1/#comment-153 David Fri, 09 Apr 2010 15:00:42 +0000 http://www.davidfischer.name/?p=270#comment-153 <a href="#comment-152" rel="nofollow">@Vishwajeet </a> I'm not 100% sure what you mean. Instead of using mod_python's PythonAuthenHandler and pointing to a Django built-in module like "PythonAuthenHandler django.contrib.auth.handlers.modpython", you have to use mod_wsgi's WSGIAuthUserScript. However, there is no Django built-in module to point to for authentication. However, since mod_wsgi is the <a href="http://docs.djangoproject.com/en/1.1/howto/deployment/modwsgi/#howto-deployment-modwsgi" rel="nofollow">recommended</a> Apache module for deploying Django in production, I submitted that <a href="http://code.djangoproject.com/ticket/10809" rel="nofollow">ticket</a> to add the <span style="font-family:monospace">check_password</span> helper function into Django. In the mean time, you'll have to roll an .wsgi script similar to the one I have above for authentication. You can put check_password into your main application .wsgi script and simple point to it with WSGIAuthUserScript. @Vishwajeet
I’m not 100% sure what you mean. Instead of using mod_python’s PythonAuthenHandler and pointing to a Django built-in module like “PythonAuthenHandler django.contrib.auth.handlers.modpython”, you have to use mod_wsgi’s WSGIAuthUserScript. However, there is no Django built-in module to point to for authentication. However, since mod_wsgi is the recommended Apache module for deploying Django in production, I submitted that ticket to add the check_password helper function into Django. In the mean time, you’ll have to roll an .wsgi script similar to the one I have above for authentication. You can put check_password into your main application .wsgi script and simple point to it with WSGIAuthUserScript.

]]> By: Vishwajeet http://www.davidfischer.name/2009/10/django-authentication-and-mod_wsgi/comment-page-1/#comment-152 Vishwajeet Fri, 09 Apr 2010 08:19:07 +0000 http://www.davidfischer.name/?p=270#comment-152 Hi, Is there way to define an authorization script for mod_wsgi like mod_python Authorization handler ? Hi,
Is there way to define an authorization script for mod_wsgi like mod_python Authorization handler ?

]]> By: Martin http://www.davidfischer.name/2009/10/django-authentication-and-mod_wsgi/comment-page-1/#comment-96 Martin Fri, 30 Oct 2009 11:19:18 +0000 http://www.davidfischer.name/?p=270#comment-96 Thank you very much for posting this work around. I am using auth.wsgi, as above, to authenticate against Django to provide WebDAV access. I was previously using mod_python just to handle the WebDAV authentication but am much happier using mod_wsgi for everything. Here is the Apache config snippet. # mod_wsgi authenticator dav on AuthType Basic AuthName "example.org" Require valid-user AuthBasicProvider wsgi WSGIAuthUserScript /var/local/django/webapp/apache/auth.wsgi Thank you very much for posting this work around. I am using auth.wsgi, as above, to authenticate against Django to provide WebDAV access. I was previously using mod_python just to handle the WebDAV authentication but am much happier using mod_wsgi for everything. Here is the Apache config snippet.

# mod_wsgi authenticator

dav on
AuthType Basic
AuthName “example.org”
Require valid-user
AuthBasicProvider wsgi
WSGIAuthUserScript /var/local/django/webapp/apache/auth.wsgi

]]>