Graham Dumpleton wrote: > On Sep 19, 3:05 am, Robin Becker <[EMAIL PROTECTED]> wrote: >> I find I can use django users and groups to authorize apache locations and >> directories using a modified version of modpython.py(I just hacked it to >> check >> for required groups). >> >> I have some difficulties with this simple scheme. >> >> First off it seems to be completely separate from the normal django >> behaviour. >> Is there a way to get existing django tokens to be used? So if I have already >> logged in or possess a django token can I use that token to provide access >> to an >> apache controlled area? >> >> Secondly the apache validation examples all seem to use mod_python as the >> transport between apache and django. We are tending to use fastcgi (via flup >> and >> runfcgi) as it gives us greater flexibility; we can use an entirely separate >> process for the python (perhaps even a different python). Is there a way to >> use >> a fastcgi based validation? >> >> Finally, my boss wants to use a single auth database. I'm not sure that's >> feasible, but it seems reasonable to have a central controlled database app >> which only does user/groups. I think this is less desirable because of the >> possibility of permission leakage. I can imagine exporting changes into some >> other project's db so this doesn't seem impossible. > > Can you perhaps gives some code examples of what your authn/authz code > looks like now so I can see how you are using groups. > > The reason I am curious is that I am currently working on implementing > a solution in mod_wsgi for better using Python to support Apache > authentication and authorization. Also, the other way around, > providing hooks so a Python application can use an Apache auth > provider for the auth database. This way one can have one auth > database across Python and non Python applications, plus static pages, > hosted by Apache. > .........
OK my code looks like the standard django/contrib/auth/modpython.py the patch is *************** *** 39,44 **** --- 38,54 ---- # check the password and any permission given if user.check_password(req.get_basic_auth_pw()): + G = [] #find required groups + S = filter(None,map(str.split,map(str.strip,req.requires()))) + map(G.extend,[filter(None,s[1:]) + for s in S if s[0].lower()=='group']) + for g in user.groups.all(): + if g.name in G: + G.remove(g.name) + + if G: #fail if required groups remain + return apache.HTTP_UNAUTHORIZED + if permission_name: if user.has_perm(permission_name): return apache.OK we're using this kind of phrase in our 2.0 apache configs AuthType basic AuthName "djauth test" Require valid-user Require group rptlab #AuthUserFile /home/rptlab/etc/passwd #AuthGroupFile /home/rptlab/etc/groups PythonInterpreter djauth PythonAuthenHandler djauth.modpython I'm guessing that AuthBasicProvider (in your examples) is new in Apache 2.2 and makes things easier for this. In 2.0 there seems no way to provide another authorizer without writing an apache module. -- Robin Becker --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---