我可以使用Django的HTTP基本身份验证吗?

时间:2021-11-22 23:32:28

We have a website running on Apache, access to which has a number of static pages protected via HTTP Basic authentication.

我们有一个运行在Apache上的网站,访问它有许多静态页面,这些页面通过HTTP Basic身份验证受到保护。

I've written a new part of the site with Django using Django's built in support for user management.

我已经用Django编写了站点的新部分,该部分使用Django的内置来支持用户管理。

The problem I have is that users have to log in once via the HTTP Basic authentication and then again using a Django login form. This both clumsy and very confusing for users.

我遇到的问题是,用户必须通过HTTP基本身份验证登录一次,然后再使用Django登录表单。这对用户来说既笨拙又非常混乱。

I was wondering if anyone had found a way to make Django log a user in using the HTTP Basic authentication information.

我想知道是否有人找到了使用HTTP基本身份验证信息使Django日志成为用户的方法。

I not expecting to pass a password to Django, but rather if a user dave has been authenticated by Apache then they should be automatically logged into Django as dave too.

我不希望向Django传递密码,但是如果一个用户dave已经通过Apache认证,那么他们也应该以dave的身份自动登录到Django中。

(One option would be to make Apache and Django share a user store to ensure common usernames and passwords but this would still involve two login prompts which is what I'm trying to avoid.)

(一种选择是让Apache和Django共享一个用户存储,以确保常见的用户名和密码,但这仍然需要两个登录提示,这正是我想要避免的。)

6 个解决方案

#1


22  

This has been added to the Django 1.3 release. See more current documentation for this here: http://docs.djangoproject.com/en/dev/howto/auth-remote-user/

这已经被添加到Django 1.3版本中。请参阅这里的最新文档:http://docs.djangoproject.com/en/dev/howto/auth-remote-user/

#2


31  

For just supporting basic auth on some requests (and not mucking with the web server -- which is how someone might interpret your question title), you will want to look here:

为了在某些请求上支持基本的auth(而不是与web服务器发生冲突——这是有人可能解释您的问题标题),您将希望看到:

http://www.djangosnippets.org/snippets/243/

http://www.djangosnippets.org/snippets/243/

#3


10  

Do check out Oli's links. You basically see the authenticated username as verified by Basic HTTP Authentication in Django by looking at request.META['REMOTE_USER'].

请查看奥利的链接。通过在Django中查看request.META['REMOTE_USER'],可以看到经过身份验证的用户名。

Update: Tested the proposed patch for ticket #689, which is available up-to-date in telenieko's git repository here. It applies cleanly at least on revision 9084 of Django.

更新:测试了建议的第689号票补丁,该补丁在telenieko的git仓库中是最新的。它至少适用于Django的9084修订版。

Activate the remote user authentication backend by

激活远程用户认证后端。

  • adding the RemoteUserAuthMiddleware after AuthenticationMiddleware
  • 在验证中间件之后添加RemoteUserAuthMiddleware
  • adding the setting AUTHENTICATION_BACKENDS = ('django.contrib.auth.backends.RemoteUserAuthBackend',)
  • 添加设置AUTHENTICATION_BACKENDS =

If you use lighttpd and FastCGI like I do, activate mod_auth, create credentials for a test user (I called it testuser and set 123 as the password) and configure the Django site to require basic authentication.

如果您像我一样使用lighttpd和FastCGI,请激活mod_auth,为测试用户创建凭证(我称之为testuser并将123设置为密码),并配置Django站点以要求基本的身份验证。

The following urls.py can be used to test the setup:

下面的url。py可用于测试设置:

from django.conf.urls.defaults import *
from django.http import HttpResponse
from django.contrib.auth.models import User
urlpatterns = patterns('',
    url(regex='^$',
        view=lambda request: HttpResponse(repr(request), 'text/plain')),

    url(regex='^user/$',
        view=lambda request: HttpResponse(repr(request.user), 'text/plain')),

    url(regex='^users/$',
        view=lambda request: HttpResponse(
            ','.join(u.username for u in User.objects.all()),
            'text/plain')),
)

After reloading lighty and the Django FCGI server, loading the root of the site now asks for authentication and accepts the testuser credentials, and then outputs a dump of the request object. In request.META these new properties should be present:

重新加载lighty和Django FCGI服务器之后,加载站点的根现在请求身份验证并接受testuser凭据,然后输出请求对象的转储。在请求。假设这些新属性应该存在:

'AUTH_TYPE': 'Basic'
'HTTP_AUTHORIZATION': 'Basic dGVzdHVzZXI6MTIz'
'REMOTE_USER': 'testuser'

The /user/ URL can be used to check that you're indeed logged in as testuser:

用户/ URL可用于检查您是否确实已登录为testuser:

<User: testuser>

And the /users/ URL now lists the automatically added testuser (here the admin user I had created when doing syncdb is also shown):

而/users/ URL现在列出了自动添加的testuser(这里还显示了我在执行syncdb时创建的admin用户):

admin,testuser

If you don't want to patch Django, it's trivial to detach the RemoteUserAuthBackend and RemoteUserAuthMiddleware classes into a separate module and refer to that in the Django settings.

如果您不想对Django进行补丁,那么将remoteuserauth后端和RemoteUserAuthMiddleware类分离到一个单独的模块中,并在Django设置中引用它们就很简单了。

#4


3  

There is httpauth.py. I'm still a complete newb with Django so I've no idea how it fits in exactly, but it should do what you're looking for.

httpauth.py。我还是Django的新手,所以我不知道它到底适合什么,但是它应该可以做你想要的。

Edit: here's a longer bug thread on the subject.

编辑:这里有一个关于这个主题的更长的bug线程。

#5


0  

Because django can be run in several ways, and only modpython gives you close integration with Apache, I don't believe there is a way for django to log you in basic on Apache's basic auth. Authentication should really be done at the application level as it'll give you much more control and will be simpler. You really don't want the hassle of sharing a userdata between Python and Apache.

因为django可以以多种方式运行,而且只有modpython提供了与Apache的紧密集成,所以我认为django没有办法在Apache的基本auth上进行基本的日志记录。身份验证应该在应用程序级别进行,因为它将给您更多的控制,并且将更简单。您真的不希望在Python和Apache之间共享用户数据。

If you don't mind using a patched version of Django then there is a patch at http://www.djangosnippets.org/snippets/56/ which will give you some middleware to support basic auth.

如果您不介意使用经过补丁的Django版本,那么在http://www.djangosnippets.org/snippets/56/上有一个补丁,它将提供一些中间件来支持基本的auth。

Basic auth is really quite simple - if the user isn't logged in you return a 401 authentication required status code. This prompts the browser to display a login box. The browser will then supply the username and password as bas64 encoded strings. The wikipedia entry http://en.wikipedia.org/wiki/Basic_access_authentication is pretty good.

基本的auth非常简单——如果用户没有登录,则返回401认证所需的状态码。这将提示浏览器显示一个登录框。然后浏览器将以bas64编码字符串的形式提供用户名和密码。*的词条http://en.wikipedia.org/wiki/Basic_access_authentication非常好。

If the patch doesn't do what you want then you could implement basic auth yourself quite quickly.

如果补丁不做你想做的,那么你可以很快地实现基本的自我。

#6


0  

This seems to be a task for custom AuthenticationBackend - see Django documentation on this subject, djangosnippets.org has some real-life examples of such code (see 1 or 2) (and this is not really a hard thing).

这似乎是一个自定义身份验证后端任务——请参阅关于这个主题的Django文档,djangosnippets.org有一些此类代码的真实示例(请参见1或2)(这并不是一件很难的事情)。

AuthenticationBackend subclasses have to have only 2 methods defined and their code is pretty straightforward: one has to return User object for user ID, the second has to perform credentials check and return User object if the credentials are valid.

authentication后端子类只定义了两个方法,它们的代码非常简单:一个类必须返回用户ID的User对象,另一个类必须执行凭据检查,如果凭据是有效的,则返回用户对象。

#1


22  

This has been added to the Django 1.3 release. See more current documentation for this here: http://docs.djangoproject.com/en/dev/howto/auth-remote-user/

这已经被添加到Django 1.3版本中。请参阅这里的最新文档:http://docs.djangoproject.com/en/dev/howto/auth-remote-user/

#2


31  

For just supporting basic auth on some requests (and not mucking with the web server -- which is how someone might interpret your question title), you will want to look here:

为了在某些请求上支持基本的auth(而不是与web服务器发生冲突——这是有人可能解释您的问题标题),您将希望看到:

http://www.djangosnippets.org/snippets/243/

http://www.djangosnippets.org/snippets/243/

#3


10  

Do check out Oli's links. You basically see the authenticated username as verified by Basic HTTP Authentication in Django by looking at request.META['REMOTE_USER'].

请查看奥利的链接。通过在Django中查看request.META['REMOTE_USER'],可以看到经过身份验证的用户名。

Update: Tested the proposed patch for ticket #689, which is available up-to-date in telenieko's git repository here. It applies cleanly at least on revision 9084 of Django.

更新:测试了建议的第689号票补丁,该补丁在telenieko的git仓库中是最新的。它至少适用于Django的9084修订版。

Activate the remote user authentication backend by

激活远程用户认证后端。

  • adding the RemoteUserAuthMiddleware after AuthenticationMiddleware
  • 在验证中间件之后添加RemoteUserAuthMiddleware
  • adding the setting AUTHENTICATION_BACKENDS = ('django.contrib.auth.backends.RemoteUserAuthBackend',)
  • 添加设置AUTHENTICATION_BACKENDS =

If you use lighttpd and FastCGI like I do, activate mod_auth, create credentials for a test user (I called it testuser and set 123 as the password) and configure the Django site to require basic authentication.

如果您像我一样使用lighttpd和FastCGI,请激活mod_auth,为测试用户创建凭证(我称之为testuser并将123设置为密码),并配置Django站点以要求基本的身份验证。

The following urls.py can be used to test the setup:

下面的url。py可用于测试设置:

from django.conf.urls.defaults import *
from django.http import HttpResponse
from django.contrib.auth.models import User
urlpatterns = patterns('',
    url(regex='^$',
        view=lambda request: HttpResponse(repr(request), 'text/plain')),

    url(regex='^user/$',
        view=lambda request: HttpResponse(repr(request.user), 'text/plain')),

    url(regex='^users/$',
        view=lambda request: HttpResponse(
            ','.join(u.username for u in User.objects.all()),
            'text/plain')),
)

After reloading lighty and the Django FCGI server, loading the root of the site now asks for authentication and accepts the testuser credentials, and then outputs a dump of the request object. In request.META these new properties should be present:

重新加载lighty和Django FCGI服务器之后,加载站点的根现在请求身份验证并接受testuser凭据,然后输出请求对象的转储。在请求。假设这些新属性应该存在:

'AUTH_TYPE': 'Basic'
'HTTP_AUTHORIZATION': 'Basic dGVzdHVzZXI6MTIz'
'REMOTE_USER': 'testuser'

The /user/ URL can be used to check that you're indeed logged in as testuser:

用户/ URL可用于检查您是否确实已登录为testuser:

<User: testuser>

And the /users/ URL now lists the automatically added testuser (here the admin user I had created when doing syncdb is also shown):

而/users/ URL现在列出了自动添加的testuser(这里还显示了我在执行syncdb时创建的admin用户):

admin,testuser

If you don't want to patch Django, it's trivial to detach the RemoteUserAuthBackend and RemoteUserAuthMiddleware classes into a separate module and refer to that in the Django settings.

如果您不想对Django进行补丁,那么将remoteuserauth后端和RemoteUserAuthMiddleware类分离到一个单独的模块中,并在Django设置中引用它们就很简单了。

#4


3  

There is httpauth.py. I'm still a complete newb with Django so I've no idea how it fits in exactly, but it should do what you're looking for.

httpauth.py。我还是Django的新手,所以我不知道它到底适合什么,但是它应该可以做你想要的。

Edit: here's a longer bug thread on the subject.

编辑:这里有一个关于这个主题的更长的bug线程。

#5


0  

Because django can be run in several ways, and only modpython gives you close integration with Apache, I don't believe there is a way for django to log you in basic on Apache's basic auth. Authentication should really be done at the application level as it'll give you much more control and will be simpler. You really don't want the hassle of sharing a userdata between Python and Apache.

因为django可以以多种方式运行,而且只有modpython提供了与Apache的紧密集成,所以我认为django没有办法在Apache的基本auth上进行基本的日志记录。身份验证应该在应用程序级别进行,因为它将给您更多的控制,并且将更简单。您真的不希望在Python和Apache之间共享用户数据。

If you don't mind using a patched version of Django then there is a patch at http://www.djangosnippets.org/snippets/56/ which will give you some middleware to support basic auth.

如果您不介意使用经过补丁的Django版本,那么在http://www.djangosnippets.org/snippets/56/上有一个补丁,它将提供一些中间件来支持基本的auth。

Basic auth is really quite simple - if the user isn't logged in you return a 401 authentication required status code. This prompts the browser to display a login box. The browser will then supply the username and password as bas64 encoded strings. The wikipedia entry http://en.wikipedia.org/wiki/Basic_access_authentication is pretty good.

基本的auth非常简单——如果用户没有登录,则返回401认证所需的状态码。这将提示浏览器显示一个登录框。然后浏览器将以bas64编码字符串的形式提供用户名和密码。*的词条http://en.wikipedia.org/wiki/Basic_access_authentication非常好。

If the patch doesn't do what you want then you could implement basic auth yourself quite quickly.

如果补丁不做你想做的,那么你可以很快地实现基本的自我。

#6


0  

This seems to be a task for custom AuthenticationBackend - see Django documentation on this subject, djangosnippets.org has some real-life examples of such code (see 1 or 2) (and this is not really a hard thing).

这似乎是一个自定义身份验证后端任务——请参阅关于这个主题的Django文档,djangosnippets.org有一些此类代码的真实示例(请参见1或2)(这并不是一件很难的事情)。

AuthenticationBackend subclasses have to have only 2 methods defined and their code is pretty straightforward: one has to return User object for user ID, the second has to perform credentials check and return User object if the credentials are valid.

authentication后端子类只定义了两个方法,它们的代码非常简单:一个类必须返回用户ID的User对象,另一个类必须执行凭据检查,如果凭据是有效的,则返回用户对象。