Authentication for whole app

72 views
Skip to first unread message

Dougal

unread,
May 20, 2008, 10:49:50 AM5/20/08
to Django users
Say you have a hierarchy of apps, how can i easily require
authentication to a whole app? or basically a whole folder.

Cheers

Graham Dumpleton

unread,
May 20, 2008, 8:14:57 PM5/20/08
to Django users
On May 21, 12:49 am, Dougal <douga...@gmail.com> wrote:
> Say you have a hierarchy of apps, how can i easily require
> authentication to a whole app? or basically a whole folder.

Depends on what sort of authentication you want to use.

If you want to use HTTP Basic authentication, then put everything
under/behind Apache and use Apache to do it. If you want to use form
based authentication with same user database across all applications
gets a bit harder. Which do you want?

Graham

James Bennett

unread,
May 20, 2008, 9:47:08 PM5/20/08
to django...@googlegroups.com
On Tue, May 20, 2008 at 7:14 PM, Graham Dumpleton
<Graham.D...@gmail.com> wrote:
> If you want to use HTTP Basic authentication, then put everything
> under/behind Apache and use Apache to do it. If you want to use form
> based authentication with same user database across all applications
> gets a bit harder. Which do you want?

It's actually not that hard, even if you want to require auth only for
specific areas. A middleware like this might do the trick (with a
little tweaking):

from django.contrib.auth.decorators import login_required

class AuthRequiredMiddleware(object):
def process_view(self, request, view_func, view_args, view_kwargs):
if ... (fill in test here to see if it's a URL or view you
want to require auth for):
return login_required(view_func)(request, *view_args, **view_kwargs)


--
"Bureaucrat Conrad, you are technically correct -- the best kind of correct."

Graham Dumpleton

unread,
May 20, 2008, 9:57:33 PM5/20/08
to Django users
On May 21, 11:47 am, "James Bennett" <ubernost...@gmail.com> wrote:
> On Tue, May 20, 2008 at 7:14 PM, Graham Dumpleton
>
> <Graham.Dumple...@gmail.com> wrote:
> > If you want to use HTTP Basic authentication, then put everything
> > under/behind Apache and use Apache to do it. If you want to use form
> > based authentication with same user database across all applications
> > gets a bit harder. Which do you want?
>
> It's actually not that hard, even if you want to require auth only for
> specific areas. A middleware like this might do the trick (with a
> little tweaking):
>
> from django.contrib.auth.decorators import login_required
>
> class AuthRequiredMiddleware(object):
>     def process_view(self, request, view_func, view_args, view_kwargs):
>         if ... (fill in test here to see if it's a URL or view you
> want to require auth for):
>             return login_required(view_func)(request, *view_args, **view_kwargs)

This is where I am ignorant of what can be done with Django. But then
rereading OP question I may have been reading too much in it. My
initial impression was that he was talking about distinct Django
instances. I forgot that Django has a concept of applications within a
specific Django instance. Because of mod_wsgi I always tend to think
of the more complicated cases that need to be handled. :-(

Let me ask my own question then. If one is running multiple Django
instances, does Django provide anything that would help with single
sign on (SSO) across all the distinct Django application instances?

There are obviously various challenges with this because of need for
single session database, plus any requirements for configuring
settings.py as to naming of the cookie, setting of cookie path and any
magic session keys that might need to be shared.

I remember something about Paste (Pylons?) having some support in it
for working with a SSO module which is available for Apache. Can't
remember the name of the Apache module right now, not sure if it is
mod_auth_form or not. This is handling most stuff outside of Apache,
except perhaps for the user authentication through a special script.

Graham

Graham Dumpleton

unread,
May 20, 2008, 9:58:43 PM5/20/08
to Django users


On May 21, 11:57 am, Graham Dumpleton <Graham.Dumple...@gmail.com>
wrote:
Hmmm, meant 'outside of Django'.

Graham

James Bennett

unread,
May 20, 2008, 10:04:58 PM5/20/08
to django...@googlegroups.com
On Tue, May 20, 2008 at 8:57 PM, Graham Dumpleton
<Graham.D...@gmail.com> wrote:
> Let me ask my own question then. If one is running multiple Django
> instances, does Django provide anything that would help with single
> sign on (SSO) across all the distinct Django application instances?

Well, they can share a database and auth against a single users table
(we do this all the time), or you can have an external authentication
source and write an auth backend which knows how to talk to it and
authenticate against it, then use it on all the sites which need it.
I've seen people doing LDAP and various other corporate-love-fest auth
systems that way.

Graham Dumpleton

unread,
May 20, 2008, 10:11:21 PM5/20/08
to Django users
On May 21, 12:04 pm, "James Bennett" <ubernost...@gmail.com> wrote:
> On Tue, May 20, 2008 at 8:57 PM, Graham Dumpleton
>
> <Graham.Dumple...@gmail.com> wrote:
> > Let me ask my own question then. If one is running multiple Django
> > instances, does Django provide anything that would help with single
> > sign on (SSO) across all the distinct Django application instances?
>
> Well, they can share a database and auth against a single users table
> (we do this all the time), or you can have an external authentication
> source and write an auth backend which knows how to talk to it and
> authenticate against it, then use it on all the sites which need it.
> I've seen people doing LDAP and various other corporate-love-fest auth
> systems that way.

But is it true SSO?

Just sharing the same user database doesn't necessarily help in that
you still have to log in to each application.

Although using HTTP Basic Authentication is easy to manage off a
shared authentication handler, it is generally harder when it is a
form/cookie based login system.

Graham

James Bennett

unread,
May 20, 2008, 10:34:44 PM5/20/08
to django...@googlegroups.com
On Tue, May 20, 2008 at 9:11 PM, Graham Dumpleton
<Graham.D...@gmail.com> wrote:
> But is it true SSO?

If they're all on the same domain or subdomains of the same domain,
and you do the cookies right, it is.

If they're not all on the same domain (or authentication realm for
Apache-based auth), there's nothing Django can really do to help you,
as far as I know.

Adam Gomaa

unread,
May 20, 2008, 11:30:42 PM5/20/08
to django...@googlegroups.com
On Tue, May 20, 2008 at 10:11 PM, Graham Dumpleton
<Graham.D...@gmail.com> wrote:
>
> But is it true SSO?

We have 'true' SSO working with multiple Django applications at my
workplace, using CAS and an authentication backend based on
django-cas; IIRC we're planning to release an updated version to the
world at large. I'll check on this tomorrow.

> Just sharing the same user database doesn't necessarily help in that
> you still have to log in to each application.

We actually don't share database across the applications, so logging
into each instance (which might just consist of a bunch of redirects
if the user's already authenticated to the CAS server) creates a new
user object in the Django instance's local database. This even works
for multiple instances on the same domain (or not), as long as you
remember to use a different SESSION_COOKIE_NAME for each instance.

Conceptually, the SSO is done one layer deeper than Django. Individual
Django instances are themselves clients to the SSO service (CAS, in
this case).

Of course, I don't think this has anything to do with what the OP was
needing, but your post reminded me of this anyway.

Adam

Reply all
Reply to author
Forward
0 new messages