I am developing a Android application, use django1.6 in server side,
I want to POST some data to the server. But its shows error 403.
What I have to do to overcome the error(CSRF token missing or incorrect)?
Is it a good idea to remove csrf middleware
(removing django.middleware.csrf.CsrfViewMiddleware from setting file)?
If not, what is an alternate solution=
This problem is not django specific. If you search CSRF Restful you will find many questions and answers about this. for e.g. this one
At the basic level, I would say that CSRF is a mechanism to plug security issues affecting people who use browsers. As such, people who use mobile applications are not likely to be affected by this.
You should keep the CSRF layer for people who access your application from web browsers and create a different scheme to access your api from other types of clients.
Yep, it's good idea, 'cose you just don't need it for mobile backend,
but just removing
'django.middleware.csrf.CsrfViewMiddleware'
won't be enough, you need add you own middleware, that will disable CSRF.
Here solution http://www.soyoucode.com/2011/really-disable-csrf-django
Related
Can someone example to me how CSRF works in the cluster setup?
I have a kubernetes cluster hosting a django website, and I'm having some occasional issues with 403 errors. I have multiple instances of the site load balanced in kubernetes.
How does CSRF work when a POST is sent from 1 instance and handled by another?
Does CSRF site work if the docker images are updated during the time the form is being filled out?
Thanks!
Can someone example to me how CSRF works in the cluster setup?
Exactly the same way it usually ought not to (CSRF is Cross Site Request Forgery, i.e. the attack). To protect against it, you hand out secret tokens to your clients which they must include with subsequent requests. Your backend must validate that the tokens are valid, applicable and were, in fact, issued by a trusted source. There's a few ways to do that bit:
You can use MACs for that (in which case you have something pretty close to JSON WebTokens).
You can save your tokens to some trusted store and query that store on subsequent requests.
That is pretty much all there is to it.
Since your CSRF protection emerges from the combination of choices you made above, how to make it work in a distributed setup also depends on the specific implementation of the CSRF protection scheme.
Going by the Django docs, the default way to do it uses a 'secret' which is reset every time a user logs in. That means if hitting a different server for two subsequent requests triggers a new log in, all old CSRF tokens are effectively invalidated. So based on that:
You need to adapt your Django project to make sure different instances can resume working with the same session, and a re-login is not triggered
All your Django instances need to be able to access the same per log-in secret, so that any one of them can validate a CSRF token issued by any other.
You should disable CSRF for every instance, and manage the CSRF security from the API Gateway
I have a django project, in which i expose a few api endpoints (api endpoint = answers to get/post, returns json response, correct me if im wrong in my definition). Those endpoints are used by me on front end, like update counts or get updated content, or a myriad other things. I handle the representation logic on server side, in templates, and in some cases send a rendered to string template to the client.
So here are the questions im trying to answer:
Do i need to have some kind of authentication between the clients and the server?
Is django cross origin protection enough?
Where, in this picture, fit such packages like django-oauth-toolkit? And django-rest-framework?
if i don't add any authentication between clients and server, am i leaving my server open for attacks?
Furthermore, what goes for server-to-server connection? Both servers under my control.
I would strongly recommend using django-tastypie for server to client communication.
I have used it in numerous applications both server to server or server to client.
This allows you to apply the django security as well as some more logic regarding the authorization process.
It offers also out of the box:
throttling
serialization in json, xml, and other formats
authentication (basic, apikey, customized and other)
validation
authorization
pagination
caching
So, as an overall overview i would suggest on building on such a framework that would make your internal api more interoperable for future extensions and more secure.
To specifically now answer your question, i would never enable any server api without at least some basic authentication/authorization.
Hopefully i answer your questions on how you can deliver all of your above worries with a framework.
The django-rest-framework that you ask for, is also really advanced and easy to use, but i prefer tastypie for the reasons i explain.
I hope i helped a bit!
I have got an Django application that uses the RemoteUserBackend in combination with Apache and mod_auth_kerb to authenticate against Kerberos.
However, this has some drawbacks:
There is no proper logout without closing the browser tab. You may click "Logout" in your Django application, but I would expect to be asked for my credentials when I try to log in again - the latter is not the case. (Side note: It is quite possible for my application that two users want to log in one after another, which increases the lack of comfort and may be problematic when one users performs actions with the other user's rights.)
The application is currently tailored to the Apache/RemoteUser solution, so it does provide no flexibility to switch over to other authentication methods, e.g. authentication against the Django database. The possibility to use alternative authentication methods would also ease the development of the application.
That said, I would like to use a form-based authentication (username/password). This would move the control for the authentication to Django, so login/logout should work properly then. Also, this form could be used as well with different authentication backends, without a need to modify the GUI.
How can this be done? Is there already a solution to this or a project that adresses my issue? Most implementations I saw like the ones in the answers here just use Apache or an LDAP authentication, but not Kerberos.
Related, but unanswered question: Django user logout with remote authentication
Sorry this is delayed. I am the author of the above recommended Kerberos + Django post (roguelynn.com).
For your first issue, take a look at kobo: https://fedorahosted.org/kobo/ - it uses Kerberos + RemoteUserBackend + Apache with Django, but implements a logout mechanism (in kobo/django/xmlrpc/auth.py: https://git.fedorahosted.org/cgit/kobo.git/tree/kobo/django/xmlrpc/auth.py).
http://www.roguelynn.com/words/django-custom-user-models/
That blog post explains quite nicely how to use Kerberos as a Django 1.5 backend authenticator. Hot off the presses as of May 15th. She's got a bunch of nice kerberos examples.
For posterity's sake just in case the blog goes away someday, the author stores her blog posts as static files in her github repo.
https://github.com/econchick/roguelynn/blob/master/_posts/
I have an application that will use flask and mongodb; I will probably host it on rackspace.
I need to understand how flask authenticating works. I have not found much information on the subject. Is there a complete tutorial on how to roll your own solution? If not, I certainly would like to hear some thoughts on how you would approach it for a a flask app.
Big PS:
I just thought about it. I also need to open a real API. A part of that API will be used for AJAX on the front end. How do i secure that part of the app?
Can anyone explain API auth requests?
I would suggest using the flask-login extension, it makes session management really easy to add to your flask application, and provides a nice documentation which covers in details every aspect of the extension.
I don't think that flask has any authentication built-in, only support for tracking sessions.
Here are some snippets for basic HTTP authentication and authentication with some third-party providers. Otherwise you will need to roll your own or use a framework that has this baked in (like Django)
Here is a discussion thread on this topic with a useful link
Flask-Login doesn't, technically, do authentication - it does session management, leaving the (tricky to securely implement) authentication details to you. Something like Flask-Security actually implements both session management and authentication (also nice-to-haves like password recovery/reset and the like), at the cost of having to have explicit support for your database.
I'm installing an environment where I had two Zope/Plone servers:
plone1 -> for web content & user authentication
plone2 -> for web applications
I want to implement SSO around both servers but I don't know how to do it. I try to modify login_next and setAuthCookie(..) to share the __ac cookie in the domain, but didn't work.
Anyone know the best way to achieve it!
Thanks in advance,
Oscar Sánchez.
I haven't done this yet, but may need to do so. So this is what I've gathered so far.
CAS
Plone as CAS server and as CAS client.
PubCookie
See the Pubcookie documentation.
Here's a writeup of setting it up with Plone: Single Sign On with Pubcookie
More on pubcookie and plone: Setting up Apache, Plone, and Pubcookie -- but there are some crucial gaps. In this case, the authentication provider is something called UWNetID, but they don't talk about configuring that. In your case, that would be a Plone instance.
mod_auth_tkt
See the mod_auth_tkt documentation.
It works with plone.session.
If both sites are on the same domain (but different subdomain), you can try to set the cookie on ".domain.tld". But I'm not sure if that will work - sending the original credentials as cookies is highly insecure, a session should be used in stead, and you can't share this session between two different instances.
Have you considered something like openid, possibly with your own private OpenID provider? That basically implements simple SSO out of the box.