Can I use HTTP Basic Authentication with Django?

 

We have a website running on Apache, access to which has a number of static pages protected via HTTP Basic authentication.

I've written a new part of the site with Django using Django's built in support for user management.

The problem I have is that users have to log in once via the HTTP Basic authentication and then again using a Django login form. This both clumsy and very confusing for users.

I was wondering if anyone had found a way to make Django log a user in using the HTTP Basic authentication information.

I not expecting to pass a password to Django, but rather if a user dave has been authenticated by Apache then they should be automatically logged into Django as dave too.

(One option would be to make Apache and Django share a user store to ensure common usernames and passwords but this would still involve two login prompts which is what I'm trying to avoid.)

This has been added to the Django 1.3 release. See more current documentation for this here: http://docs.djangoproject.com/en/dev/howto/auth-remote-user/

For just supporting basic auth on some requests (and not mucking with the web server -- which is how someone might interpret your question title), you will want to look here:

http://www.djangosnippets.org/snippets/243/

Do check out Oli's links. You basically see the authenticated username as verified by Basic HTTP Authentication in Django by looking at request.META['REMOTE_USER'].

Update: Tested the proposed patch for ticket #689, which is available up-to-date in telenieko's git repository here. It applies cleanly at least on revision 9084 of Django.

Activate the remote user authentication backend by

  • adding the RemoteUserAuthMiddleware after AuthenticationMiddleware
  • adding the setting AUTHENTICATION_BACKENDS = ('django.contrib.auth.backends.RemoteUserAuthBackend',)

    • If you use lighttpd and FastCGI like I do, activate mod_auth, create credentials for a test user (I called it testuser and set 123 as the password) and configure the Django site to require basic authentication.

    The following urls.py can be used to test the setup: 

    from django.conf.urls.defaults import *
from django.http import HttpResponse
from django.contrib.auth.models import User
urlpatterns = patterns('',
    url(regex='^$',
        view=lambda request: HttpResponse(repr(request), 'text/plain')),

    url(regex='^user/$',
        view=lambda request: HttpResponse(repr(request.user), 'text/plain')),

    url(regex='^users/$',
        view=lambda request: HttpResponse(
            ','.join(u.username for u in User.objects.all()),
            'text/plain')),
)

    After reloading lighty and the Django FCGI server, loading the root of the site now asks for authentication and accepts the testuser credentials, and then outputs a dump of the request object. In request.META these new properties should be present: 

    'AUTH_TYPE': 'Basic'
'HTTP_AUTHORIZATION': 'Basic dGVzdHVzZXI6MTIz'
'REMOTE_USER': 'testuser'

    The /user/ URL can be used to check that you're indeed logged in as testuser : 

    <User: testuser>

    And the /users/ URL now lists the automatically added testuser (here the admin user I had created when doing syncdb is also shown): 

    admin,testuser

    If you don't want to patch Django, it's trivial to detach the RemoteUserAuthBackend and RemoteUserAuthMiddleware classes into a separate module and refer to that in the Django settings.

    链接地址: http://www.djcxy.com/p/33740.html

    上一篇: 在使用Django授权LDAP后端时允许更大的字段大小和截断

    下一篇: 我可以在Django中使用HTTP基本认证吗?