#25030: The /admin/login/ should observe external authentication even when it
appears in POST
-------------------------------+--------------------
Reporter: adelton | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.admin | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
Apache module mod_intercept_form_submit
(http://www.adelton.com/apache/mod_intercept_form_submit/) allows PAM
authentication to be run by Apache when application's native logon form is
submitted. The module attempts the PAM authentication and sets
{{{r->user}}} / REMOTE_USER accordingly. The use case is described in more
detail at
http://www.freeipa.org/page/Web_App_Authentication#Login_form_using_FreeIPA
and
http://www.freeipa.org/page/Web_App_Authentication/Example_setup#External_identities_for_login_form.
However, Django's /admin/login/ implementation has check
{{{
if request.method == 'GET' and self.has_permission(request):
}}}
in its {{{login}}} method. So even if I have Apache configured with
{{{
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule intercept_form_submit_module
modules/mod_intercept_form_submit.so
<Location /admin/login/>
InterceptFormPAMService django-admin
InterceptFormLogin username
InterceptFormPassword password
</Location>
}}}
and in access_log I see the admin user authenticated by the module, since
it happened during POST request, /admin/login/ ignores the fact that
{{{self.has_permission(request)}}} returns true and prints error message
"Please enter the correct username and password for a staff account. Note
that both fields may be case-sensitive." However, the session based on
REMOTE_USER has actually been created so if you just repeat the same
request (http://www.example.com/admin/login/?next=/admin/) with GET by
hitting Ctrl+L and Enter, you will get to /admin/ without issues.
--
Ticket URL: <https://code.djangoproject.com/ticket/25030>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/050.1cc59d7a8a1635c1a2e90adf41e93a9c%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
