Before I get into the details, I think I should introduce myself. My name is Doug Napoleone and I have only been using django for about 6 months. I worked on the PyCon06 PyCon-Tech project and am trying to kick off the PyCon07 tech work.
http://wiki.python.org/moin/PyCon2006/PyConSoftwareTalk http://us.pycon.org/apps/ > > May I interest you in the "Authenticating against Django's user > database from Apache" document? > > http://www.djangoproject.com/documentation/apache_auth/ > > Adrian > There are two issues with the current auth mod_python handler. 1. it doesn't support rich control i.e. does user A belong to group B and is the sub directory under this <location> the users directory (given some custom extended user model). This work can be done using the current handler as a template and rolling your own, or come up with something more generic. The Idea is to instead of denoting the permissions on the apache side with passed in env, have the auth be dynamicly configurable on the django side based on user, group, request path, etc. 2. it doesn't work with fastcgi. I am stuck with fastcgi for PHP reasons. I believe that it is possable to create an extended auth bridge between apache and django with minimal work. I will not get to this for a few months, so I thought I would document what I have come up with so far. If you have django as a fastcgi then you can use it directly for handling auth verification using: <Location /protected> AuthName ProtectedMedia AuthType Basic FastCgiAccessChecker django-myproject-fastcgi.py FastCgiAuthenticator django-myproject-fastcgi.py FastCgiAuthorizer django-myproject-fastcgi.py </Location> (or put the above in the parant directory .htaccess file, sans the <location> tags) FastCgiAccessChecker - for verifying ip address and other header checks return either 403 (Forbidden) or 200 (OK) FastCgiAuthenticator - for verifying user/password 401 (Unauthorized) for: no user credentials invalid credentials 200 (OK) FastCgiAuthorizer - for verifying access 401 (Unauthorized) - good creds, but no access 200 (OK) Not all need to be supplied/handled. Apache will send the full request (but the response is just an auth response like the current mod_python auth handler). The resuest has two additional variables in the environment: FCGI_ROLE == 'AUTHORIZER' (think its 'RESPONDER' for normal fastcgi) FCGI_APACHE_ROLL == ACCESS_CHECKER - when called from FastCgiAccessChecker AUTHENTICATOR AUTHORIZER A standard middleware could detect these and dispatch to a standardized auth request interface. I say standardized because the mod_python auth handler could be modified to use this auth request interface directly (instead of going through the request handler/middleware framework.) I need to read up more on the PythonAuthenHandler stuff, but I believe it has similar distinctions to the FastCgi ones. The coolness does not stop there (for FastCgi). Each of the 3 auth request types have an 'Authoritative' flag which defaults to on. If turned off, the request is passed to the next apache auth system if its not 200 (OK). i.e.: <Location /protected> AuthName ProtectedMedia AuthType Basic FastCgiAuthenticator django-myproject-fastcgi.py FastCgiAuthenticatorAuthoritative off FastCgiAuthorizer django-myproject-fastcgi.py FastCgiAuthorizerAuthoritative off AuthUserFile /etc/conf/httpd.conf/auth/admin.auth require user administrator </Location> So if the user is logging in as the apache administrator, even if they do not have django creds, they will have access. You can also pass information in via SetEnv. Your fastcgi auth's can also modify the headerand it will stick to the next level. This is usefull for the above example because you may not want to do the user lookup or passwd check a second time for the FastCgiAuthorizer. FastCgiAuthenticator can set its status, which FastCgiAuthorizer can then read and use. All that needs to be done now is to come up with something that makes sence for the Auth interface. I believe this is already being done on the MultiAuth branch. The end user instructions will be use a new mod_python auth handler for mod_python, or use a new AuthApacheFastCgi middleware for fastcgi. I would love some help working on this. -Doug --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
