#25029: When external authentication via REMOTE_USER is only configured on
/admin/login/, the authentication does not persist
-------------------------------+--------------------
Reporter: adelton | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
The ticket #17869 made sure that if the REMOTE_USER header is not present,
user is logged out in Django as well. Ticket #23066 moved the logic to
different method but the semantic stayed the same.
However, for certain external authentication mechanisms, it makes sense
that the frontend server (Apache) is configured to only authenticate
single URL, like /admin/login/. For example with Kerberos, we do not want
the negotiate to happen upon every request -- we want Django to accept the
external authentication, create the session, and then use that session
until the user explicitly log out.
I assume changing the current behaviour of RemoteUserMiddleware is not
acceptable so I'm proposing new middleware, OptionalRemoteUserMiddleware,
to allow the REMOTE_USER to be only present once.
--
Ticket URL: <https://code.djangoproject.com/ticket/25029>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/050.c5a8c9aaad5f487d0da274cd524ae541%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
