Authentication using Django’s sessions db from Apache - django

I have a Django application which I now want to integrate it with Kibana. So when authenticated users click on a link, they will be directed to Kibana. But this option should not be available to anonymous users.
My stack is Psql + Django + mod_wsgi + Apache. The solution I came up with was restricting access to Kibana via Apache, and authenticating users in Django before giving them access. This HowTo in Django website says how you can authenticate against Django from Apache, but that one uses Basic authentication. When I use this approach, even for users who already have an active session in my Django app, they will be asked to enter their username/password in a browser dialog!
I was hoping the authentication to happen using the current Django active sessions. I believe for that I need to use AuthType form and mod_session, instead of AuthType Basic, but it seems mod_wsgi does not support mod_session yet (as discussed here). I checked other WSGI alternatives as well (gunicorn and uWSGI), but couldn't find anything.
So my question is how I can Authenticate against Django session db? Is using mod_session + AuthType form correct? and if yes, what's the best way to achieve this?
Thanks a lot

Related

Using a django app as a central authentication system to other django apps

(I am relatively new to Django, so sorry if I was misunderstanding anything ^^")
so let say I have app1 and app2, and I want to implement the same groups, roles and permission through these two apps by only having one database.
my idea was to create a central back end server that the two app authenticate through and grabs the roles from it. essentially this can be used for SSO(Single sign on) later. but now the target is to authenticate the user logging through one app and get his roles and groups from there.
In Django documentation I found "Authentication using REMOTE_USER":
which should allow me to do remote authentication (which is my target), was able to make it run but how am I supposed to give it the link of the Django authentication server.
my understanding is that after setting this remote user authentication, all groups, roles and permission checks doesn't need to be changed since Django should have access to the remote server that it authenticates through.
I hope that I wasn't misunderstanding "Authentication using REMOTE_USER" concept.
also if there is any other ideas on how to implement this, please let me know.
Thank you !
Sounds like REMOTE_USER is NOT what you're expecting it to be: when Django is configured to use this functionality, it foregoes Django's typical security, because it expects a web server situated in front of Django (e.g. APACHE or NGINX) to do user authorization on its behalf. In a nutshell, the web server passes along the user's id in every request it sends to Django in the REMOTE_USER header.
You expectations, on the other hand, seem directed at configuring a common Django app to authorize and authenticate users for other apps. This is a common configuration, and is effected by several steps, including these three:
(1) Adding to the common app's settings.py the other apps in the INSTALLED_APPS list. For example:
INSTALLED_APPS = [
...
'app1',
'app2',
]
(2) Include the apps URLconf in common api urls.py, for example:
path('app1/', include('app1.urls')),
path('polls/', include('app2.urls')),
(3) Run python manage.py migrate in order to create the database tables for two apps.
You'll probably have to fuss with your urls in the common app more that what I've sketched out above; and you might add a middleware to prevent unauthorized requests any access until authenticated.

Django - django-registration with LDAP

I'm currently using Django with the django-registration package.
This one give my users the ability to sign in among other things.
Now I'd like to be able to use an LDAP authentication backend like django-auth-ldap
Will my users still be able to register online ?
Can someone point me to the right direction to properly configure the ldap backend ?
(tutorial or doc links)

Need one login for two different sites

I am tasked to create a web site using Django. It will be a 'sister' site to an existing Plone site. The same Apache instance will be the front end to the sites which allows me to use the same domain name.
However, the owners want the users to be able to log into one and still be logged into the other one.
How can this be accomplished?
Thanks! :)
Gut reaction is to use OAuth - see How to build a secure Django single signon between different sites?
Alternatively, have you tried this single sign-on app - http://code.google.com/p/django-sso/ ?
Also have a look on Django's documentation on how to implement your own authorization backend at http://docs.djangoproject.com/en/dev/topics/auth/#writing-an-authentication-backend
My gut reaction is to use LDAP. Plone's LDAP support is a little rough, but it works. Does Django have equivalent or better LDAP support? If so, then I think you are off and running…
You can move authentication to SQLPASPlugin and use the same table for Django and Plone.
There are two problems here, shared logins, and single sign on. LDAP or SQL based logins will give you the first, but you'll still have to enter your password in both sites. You need single sign on to remain logged in across bpth.
plone.session 3.0 (part of Plone 4, but compatible with Plone 3.3 if you also add hashlib to your buildout) is compatible with Apache mod_auth_tkt single sign on. It should be simple enough to configure Django to use Apache authentication, or if you're not running Apache, wrap plone.session's tktauth.py in a simple wsgi wrapper. Use the Plone site's require_login script as the TKTAuthLoginURL.

Django Admin - Re-authentication?

I'm in a bit of a dilemma at the moment regarding Django's admin backend. The default authentication system allows already logged-in users that have staff privileges to access the admin site, however it just lets them straight in.
This doesn't feel “right” to me, and I'm wondering if it would be difficult to at least require a re-authentication of that same session in order to get into the backend.
Preferably though, it'd be good if the frontend sessions could be separated from the backend ones (though still using the same user objects), this would allow a clean separation of both parts of the site. Would this perhaps require two separate authentication backends? Would something like this be difficult to achieve?
Here's an idea: run the admin app on a different domain to the frontend. The cookies won't be valid in the other domain, so the user will have to log in again. All you'd need would be a separate Apache vhost and a basic settings.py that just has contrib.admin in INSTALLED_APPS.
You could probably implement a middleware that asks for authentication when accessing the admin site from a referer not in the admin site. It could log the person out and make them log back in, but even that wouldn't be necessary. Just require another password entry, and redirect them if it fails. It might involve setting a session variable, is_admin_authenticated or something.

Django File Access Security

I want to restrict access to all but a few selected files per a user, but if I type: /media/userdocuments/FILENAME django happily spits back the file for even users who aren't logged in. How can I integrate the permission framework to work around this?
Thanks!
EDIT: I realize that the django development server is insecure, so I guess the question is: How would I do that in a production environment with apache, lighttp, etc.
Use RewriteMap along with a script that connects to Django and verifies permissions, rewriting to a "disallowed" URL on auth failure.