I have a site with static elements like images. I wanted to protect them (so that you cannot access them directly using a hotlink). For this purpose I used the part "Authentication with mod_wsgi" from the Django documentation:
Authentication with mod_wsgi
I don't like that fact that the user has to log in twice (one time Django auth and then Apache auth when there is an image on the page) but it's not the main issue (if you know how to handle this it would also be nice)
My main problem is that after I log out I still can access the protected image. I know that this is because the fact that Apache uses only Djangos check_password method but maybe there is a way to synchronise it?
You should take a look at Apache 'X-SENDFILE' header: https://tn123.org/mod_xsendfile/
It allow Django to check if your user can access it and if he the access is granted the static file is then served by Apache.
With this solution your user don't have to log twice and you can have any kind of control your want !
I wrote a blog post about it here with nginx, but it work the same way :)
Related
I have website django based, i need access control domain based like. I already established django own auth system and 2-auth system. I need for whole domain access control even for the static files.
If that possible only access code not username and password, and this need to be hard coded env or something like this.
Django version v4.0, Hosting Heroku
For file protection you can create the fast tiny view, which send files back.
url for this view you can wrap with permission_required
urlpatterns += [
path("media/", permission_required('users.can_download', login_url='/')(Download.as_view()), name="download"),
...
]
https://docs.djangoproject.com/en/4.0/topics/auth/default/#the-permission-required-decorator
Every moment you can revoke this permission from every user.
I have a Django project that will ultimately consist of three apps. Two of which will be "normal" Django apps, the third is a djangorestframework app. I also plan on creating a desktop client for the project at some point.
I want the rest app to be the only entity communicating with the database. Hence I use requests to communicate with the rest endpoints from the views of the "normal" Django apps and I will do the same for the desktop client. I want all apps to be accessible only for authenticated users, so I'm using Django's authentication backend.
My question is how to pass on the authenticated user/session from the pure Django apps to the rest endpoints when using requests in the views.
I managed to authenticate on the rest API using request's HTTPBasicAuth, but that requires me to have the user's password at hand in plain text. Sure, I could create a technical user to do these requests. But that would also mean that each and every request would need to go through authentication first and that doesn't feel like the best approach.
I have tried to extract the session cookie from the request object that is provided to the views and pass it on through requests.get, but did not manage to put it into the requests.get call the right way.
As of now, using requests and the established sessions looks like my best bet, especially since that will be the way the desktop client will do things, too. So I'm currently looking for the right way to provide requests.get with the session cookie, but I'm certainly open for better solutions.
You should use tokens.
Basically any kind of authentication out of your django project should be managed with secure tokens.
And yes, authentication check should happen everytime you send a request. To make it faster, you can store tokens in memory. (You can use redis or maybe even load your db on memory or ... ) but this is the right and common way to it. Even django does this check everytime using it's builtin functions.
DRF docs recommended some few packages to manage these tokens:
DRF: Third party packages
I used knox for many projects and it's pretty good.
Basically to authenticate your users over all of your projects or microservices, you have to take the token from user, set it as header or ... for your request to the main database or authentication project.
Most of the apps use token in headers which you can simply add to all of your requests calls:
Requests docs: Custom Headers
I am maintaining a web application built in python.
Access control for the app is handled at the Apache layer (using the Apache htpasswd file).
Right now, the app works the same no matter who is using it. The app doesn't even know who is logged in. But now I need to add a feature to the app that requires knowing who is logged in.
So the question is this: is there some way to access the Apache session information and see the user name of the user logged i non this session?
Of course I could completely redo the security model so that the app handles user login, but if there is any way to just access the Apache info, that will save me lots of work.
Thanks in advance!
If you are using Basic Auth, you can check the Authorization HTTP header:
>>> request.headers["Authorization"]
'Basic YWRtaW46aHVudGVyMg=='
>>> request.headers["Authorization"].partition(" ")[2].decode("base64")
'admin:hunter2'
Alternatively, you can check the REMOTE_USER environment variable (although this isn't guaranteed to be set in the same way tha the Authorization header will be):
>>> import os
>>> os.environ['REMOTE_USER']
'admin'
I'm using Django TastyPie for my API. I have a completely separate HTML application that my user views and will see basic read only info from the Django API. My question is what authentication method should I use in this situation. The HTML application is technically me not the user and they don't login. The app is not Django but pure javascript, hiding a key or anything else is pointless.
will see basic read only info from the Django API.
It sounds like you probably just want to make those bits of the API publicly available for read-only access, and then not use any authentication method.
As you say attempting to hide a key isn't a sensible way to go, and if there's no kind of user login then you can't really authenticate in any secure way.
I have got an Django application that uses the RemoteUserBackend in combination with Apache and mod_auth_kerb to authenticate against Kerberos.
However, this has some drawbacks:
There is no proper logout without closing the browser tab. You may click "Logout" in your Django application, but I would expect to be asked for my credentials when I try to log in again - the latter is not the case. (Side note: It is quite possible for my application that two users want to log in one after another, which increases the lack of comfort and may be problematic when one users performs actions with the other user's rights.)
The application is currently tailored to the Apache/RemoteUser solution, so it does provide no flexibility to switch over to other authentication methods, e.g. authentication against the Django database. The possibility to use alternative authentication methods would also ease the development of the application.
That said, I would like to use a form-based authentication (username/password). This would move the control for the authentication to Django, so login/logout should work properly then. Also, this form could be used as well with different authentication backends, without a need to modify the GUI.
How can this be done? Is there already a solution to this or a project that adresses my issue? Most implementations I saw like the ones in the answers here just use Apache or an LDAP authentication, but not Kerberos.
Related, but unanswered question: Django user logout with remote authentication
Sorry this is delayed. I am the author of the above recommended Kerberos + Django post (roguelynn.com).
For your first issue, take a look at kobo: https://fedorahosted.org/kobo/ - it uses Kerberos + RemoteUserBackend + Apache with Django, but implements a logout mechanism (in kobo/django/xmlrpc/auth.py: https://git.fedorahosted.org/cgit/kobo.git/tree/kobo/django/xmlrpc/auth.py).
http://www.roguelynn.com/words/django-custom-user-models/
That blog post explains quite nicely how to use Kerberos as a Django 1.5 backend authenticator. Hot off the presses as of May 15th. She's got a bunch of nice kerberos examples.
For posterity's sake just in case the blog goes away someday, the author stores her blog posts as static files in her github repo.
https://github.com/econchick/roguelynn/blob/master/_posts/