On Sep 19, 10:05 pm, Robin Becker <[EMAIL PROTECTED]> wrote: > Graham Dumpleton wrote: > > On Sep 19, 3:05 am, Robin Becker <[EMAIL PROTECTED]> wrote: > >> I find I can use django users and groups to authorize apache locations and > >> directories using a modified version of modpython.py(I just hacked it to > >> check > >> for required groups). > > >> I have some difficulties with this simple scheme. > > >> First off it seems to be completely separate from the normal django > >> behaviour. > >> Is there a way to get existing django tokens to be used? So if I have > >> already > >> logged in or possess a django token can I use that token to provide access > >> to an > >> apache controlled area? > > >> Secondly the apache validation examples all seem to use mod_python as the > >> transport between apache and django. We are tending to use fastcgi (via > >> flup and > >> runfcgi) as it gives us greater flexibility; we can use an entirely > >> separate > >> process for the python (perhaps even a different python). Is there a way > >> to use > >> a fastcgi based validation? > > >> Finally, my boss wants to use a single auth database. I'm not sure that's > >> feasible, but it seems reasonable to have a central controlled database app > >> which only does user/groups. I think this is less desirable because of the > >> possibility of permission leakage. I can imagine exporting changes into > >> some > >> other project's db so this doesn't seem impossible. > > > Can you perhaps gives some code examples of what your authn/authz code > > looks like now so I can see how you are using groups. > > > The reason I am curious is that I am currently working on implementing > > a solution in mod_wsgi for better using Python to support Apache > > authentication and authorization. Also, the other way around, > > providing hooks so a Python application can use an Apache auth > > provider for the auth database. This way one can have one auth > > database across Python and non Python applications, plus static pages, > > hosted by Apache. > > ......... > > OK my code looks like the standard django/contrib/auth/modpython.py the patch > is > > *************** > *** 39,44 **** > --- 38,54 ---- > > # check the password and any permission given > if user.check_password(req.get_basic_auth_pw()): > + G = [] #find required groups > + S = filter(None,map(str.split,map(str.strip,req.requires()))) > + map(G.extend,[filter(None,s[1:]) > + for s in S if s[0].lower()=='group']) > + for g in user.groups.all(): > + if g.name in G: > + G.remove(g.name) > + > + if G: #fail if required groups remain > + return apache.HTTP_UNAUTHORIZED > + > if permission_name: > if user.has_perm(permission_name): > return apache.OK > > we're using this kind of phrase in our 2.0 apache configs > > AuthType basic > AuthName "djauth test" > Require valid-user > Require group rptlab > #AuthUserFile /home/rptlab/etc/passwd > #AuthGroupFile /home/rptlab/etc/groups > PythonInterpreter djauth > PythonAuthenHandler djauth.modpython > > I'm guessing that AuthBasicProvider (in your examples) is new in Apache 2.2 > and > makes things easier for this.
Correct. > In 2.0 there seems no way to provide another > authorizer without writing an apache module. Correct. I haven't looked at how Django stores the auth database, but one other thing which would be interesting to try, is to see if one could just go direct to the database Django uses using the mod_authn_dbd and mod_authz_dbd Apache modules. For an example, see: http://httpd.apache.org/docs/trunk/mod/mod_authz_dbd.html Anyway I'll have a look through the code you sent. Thanks. Graham --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
