On 10 April 2010 04:33, Vishwajeet <[email protected]> wrote: > > > On Apr 9, 6:00 pm, Graham Dumpleton <[email protected]> > wrote: >> On 9 April 2010 22:23, Graham Dumpleton <[email protected]> wrote: >> >> >> >> >> >> > On 9 April 2010 22:19, Vishwajeet <[email protected]> wrote: >> >> >> On Apr 9, 3:32 pm, Graham Dumpleton <[email protected]> >> >> wrote: >> >>> On 9 April 2010 19:00, vishwajeet singh <[email protected]> wrote: >> >> >>> > Thanks for the quck response Graham I have gone through these links >> >>> > many >> >>> > times but still fail to understand how it will work for me. >> >>> > Let me give you some more details >> >>> > I am not doing either group authorization or host authorization, I have >> >>> > django app and users have different roles in that application, so once >> >>> > user >> >>> > is authenticated I want to look into db if the user is in particular >> >>> > role or >> >>> > not, if he is not a role give him authorization required or you don't >> >>> > have >> >>> > access to this resource. I want to use this authorization to handle >> >>> > access >> >>> > for webdav folders which are not directly part of django app. >> >>> > Hope that makes me more clear, thank you so much for your response. >> >> >>> Depends on how you are going to do this with Django, but a role is not >> >>> really any different to a group or even a Django user permission. >> >> >>> For example, the following might be able to be used (although I have >> >>> not tested it). >> >> >>> import os, sys >> >>> sys.path.append('/usr/local/django') >> >>> os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings' >> >> >>> from django.contrib.auth.models import User >> >>> from django import db >> >> >>> def groups_for_user(environ, user): >> >>> db.reset_queries() >> >> >>> kwargs = {'username': user, 'is_active': True} >> >> >>> try: >> >>> try: >> >>> user = User.objects.get(**kwargs) >> >>> except User.DoesNotExist: >> >>> return [''] >> >> >>> return user.get_group_permissions() >> >>> finally: >> >>> db.connection.close() >> >> >>> In other words, just look up user and return permissions associated >> >>> with that user through the groups they are in. >> >> >>> I don't actually use Django but I presume this can be used to >> >>> designate the roles they have. >> >> >>> Then in Apache configuration you can have: >> >> >>> AuthType Basic >> >>> AuthName "Top Secret" >> >>> AuthBasicProvider dbm >> >>> AuthDBMUserFile /usr/local/wsgi/accounts.dbm >> >>> WSGIAuthGroupScript /usr/local/wsgi/scripts/auth.wsgi >> >>> Require valid-user >> >> >>> <Location /some/url> >> >>> Require group can_do_stuff >> >>> </Location> >> >> >>> <Location /some/other/url> >> >>> Require group can_do_other_stuff >> >>> </Location> >> >> >>> So don't get hung up on the 'group' name used as argument to 'Require' >> >>> directive. You can still return a list of permissions and match >> >>> against that. >> >> >>> From Apache 2.3 onwards, you will have to actually use 'wsgi-group' >> >>> instead of 'group'. Seems I haven't noted this in documentation and >> >>> that 'wsgi-group' already works for older Apache and should now be >> >>> used in preference to 'group'. >> >> >>> Also note if using check_password() to authenticate user against >> >>> Django previously, to avoid second database lookup, you could always >> >>> stash the permissions in thread local storage and have the >> >>> groups_for_user() look up that, validate is for same user and return >> >>> it. >> >> >>> You will need to use mod_wsgi 3.X to use thread local storage like that >> >>> however. >> >> >>> BTW, if you get this working, post what you use. If I get a working >> >>> example from someone with a bit of a description of what you do on >> >>> Django admin side to populate permissions, could include it in >> >>> documentation as example. >> >> >> Thanks for an elaborate reply that really helped me to move in the >> >> right direction, I did the suggested changes and It seems to be >> >> working. >> >> though I need to do some more testing before I have something >> >> concrete :) >> >> >>> Also note if using check_password() to authenticate user against >> >>> Django previously, to avoid second database lookup, you could always >> >>> stash the permissions in thread local storage and have the >> >>> groups_for_user() look up that, validate is for same user and return >> >>> it. >> >> I am using check_password() but I don't know how to stash the >> >> permissions in thread local storage, can you please let me know how to >> >> do this ? >> >> > Will have to be tomorrow, no time tonight now and am logging off. >> >> Have couple of minutes left. Use something like: >> >> import os, sys >> sys.path.append('/usr/local/django') >> os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings' >> >> from django.contrib.auth.models import User >> from django import db >> >> import threading >> >> cache = threading.local() >> >> def check_password(environ, username, password): >> >> cache.username = None >> cache.permissions = [''] >> >> db.reset_queries() >> >> kwargs = {'username': username, 'is_active': True} >> >> try: >> try: >> user = User.objects.get(**kwargs) >> except User.DoesNotExist: >> return None >> >> if user.check_password(password): >> cache.username = username >> cache.permissions = user.get_group_permissions() >> return True >> else: >> return False >> finally: >> db.connection.close() >> >> def groups_for_user(environ, username): >> if not cache.username or cache.username != username: >> cache.username = None >> cache.permissions = [''] >> return [''] >> >> permissions = cache.permissions >> cache.username = None >> cache.permissions = [''] >> return permissions >> >> Have to do this as only easy way of passing information between the >> two Apache phases as no easy way of stashing information back in >> Apache request object for passing across. >> >> Note that by WSGIAuthUserScript and WSGIAuthGroupScript must be >> delegated to same application-group for this to work as thread locals >> are specific to an interpreter. > > Thanks I got it working > >> >> One more thing is that if the required group is not matched it keeps >> >> on prompting for authentication instead of saying authorization >> >> required. > > But this problem is still bugging me not able to understand why Apache > keeps on returning 401 instead of 403 if some other group is returned > instead of desired one.
Do you have an explicitly ErrorDocument directive specificied for 403 to map error handler to a URL. If not explicitly done by you, have you got multi lang error pages in Apache enabled. Ie. # Multi-language error messages Include /private/etc/apache2/extra/httpd-multilang-errordoc.conf If you have these enabled, it could be redirecting 403 to an error URL which is getting passed through to Django application, but Django doesn't have that URL mapped and returns 401. If this happens, I would actually have expected the end result to be a 500 error though as Apache would treat a 401 for error document to be an internal server error. Graham >> Graham >> >> >> One more thing is that if the required group is not matched it keeps >> >> on prompting for authentication instead of saying authorization >> >> required. >> >> > I would have thought it would actually return FORBIDDEN HTTP status >> > response. >> >> > Graham >> >> >> Once I am done with the implementation I will surely share the script. >> >> Thanks a lot for you help, much appreciated. >> >> >>> Graham >> >> >>> > On Fri, Apr 9, 2010 at 2:22 PM, Graham Dumpleton >> >>> > <[email protected]> wrote: >> >> >>> >> On 9 April 2010 18:25, Vishwajeet <[email protected]> wrote: >> >>> >> > Hi, >> >>> >> > I have script which is currently doing authentication and it's >> >>> >> > working >> >>> >> > fine. >> >>> >> > My question is how can i define an authorization script to check >> >>> >> > access ? >> >>> >> > I tried browsing through all directives but none of seems to mention >> >>> >> > about authorization. >> >> >>> >> See: >> >> >>> >> http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIAut... >> >> >>> >> http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIAut... >> >>> >> http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms >> >> >>> >> Graham Graham -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
