#689: [patch] middleware to allow apache to provide authentication instead of
django
-----------------------------+----------------------------------------------
Reporter: [EMAIL PROTECTED] | Owner: adrian
Type: enhancement | Status: closed
Priority: low | Milestone:
Component: Core framework | Version:
Severity: normal | Resolution: duplicate
Keywords: |
-----------------------------+----------------------------------------------
Comment (by Pawel J. Sawicki (http://pjs.name)):
If I may add - IMHO this particular enhacement cannot be obtained using
the new authentication model. The middleware approach is IMO the only way
to get this right.
The basic assumption of the http auth is that you log in into the system
only once - using the web browser capabilities. Afterwards you should be
automaticaly logged in into the system (or at least verified if you can
log in).
The new model (http://www.djangoproject.com/documentation/authentication/)
is (as far as I know) only able to verify the credentials after they are
provided to a login method - at least I couldn't obtain nothing more. So,
in my situation, even though I've been logged in "through http" I also had
to provide my username and password in the login form.
Moreover - even if I always returned User.objects.get(id=1) inside
authenticate() I had to press submit button or the framework left me
unauthorized.
As for the "lack of logout" - I think I've managed to deal with that by
{{{
class HttpAuthMiddleware(object):
def process_request(self, request):
if request.path == '/accounts/logout/':
httpResponse = HttpResponse()
httpResponse.status_code = 401
httpResponse.headers['WWW-Authenticate'] = 'Basic realm="<same
realm as in the http server>"'
return httpResponse
else:
# check for http headers - maybe the user is already logged in
using http auth
...
}}}
Yes, I know - there's a lot of hardcoding, but it works. So, in a sense,
the arguments presented in
http://www.djangoproject.com/weblog/2005/oct/24/http/ are no longer valid
- you *can* logout a user, even if she or he is logged using http auth
(inspired by comment made by "Aaron").
...or maybe the docs need some more examples :)
--
Ticket URL: <http://code.djangoproject.com/ticket/689>
Django <http://code.djangoproject.org/>
The web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates
-~----------~----~----~----~------~----~------~--~---
