How to server static media secured by Django authentication

[Jim Myers]

I have a requirement to serve static files only to users authenticated
through Django secure login.
That means I can't use apache basic/digest authentication for those
files.

So far in my searches of the web and Django docs, I've found no way to
do this.
Of course my alternative is to serve ALL the static files through
Django but that's not very palatable.

Have I missed anything? What is needed to make this work?

[Maksymus007]

On Fri, Sep 11, 2009 at 11:03 PM, Jim Myers <mye...@gmail.com> wrote:
>
> I have a requirement to serve static files only to users authenticated
> through Django secure login.
> That means I can't use apache basic/digest authentication for those
> files.
>
> So far in my searches of the web and Django docs, I've found no way to
> do this.
> Of course my alternative is to serve ALL the static files through
> Django but that's not very palatable.
>

Its the only way to do this, as long as django auth is required.
You can write your own static file serving function and add caching
(memcache?) to it.

But you can try to, for example, make directories named like session
cookie hash and force user to get all static content there, serving
thgouh apache

[Tim Chase]

> I have a requirement to serve static files only to users authenticated
> through Django secure login.

You may be interested in:

http://code.djangoproject.com/ticket/2131

Both mod_python and mod_wsgi support the ability to return a
header that instructs the web-server to "dump this local file
back as my response" freeing up Django resources. This patch,
though not yet accepted, has undergone a lot of scrutiny (as you
can read in the long list of comments) and even if the One True
Solution hasn't yet been committed to trunk, it looks like this
should work if you tinker with it. But I too am looking forward
to it hitting trunk.

-tim

[Javier Guerra]

On Fri, Sep 11, 2009 at 4:26 PM, Tim Chase
<django...@tim.thechases.com> wrote:
> You may be interested in:
>
> http://code.djangoproject.com/ticket/2131
>
> Both mod_python and mod_wsgi support the ability to return a
> header that instructs the web-server to "dump this local file
> back as my response" freeing up Django resources.

note that you can simply return that same header without waiting for
this patch. the main advantage will be that it automatically uses the
appropriate header for different servers.

--
Javier

[Gabriel Gunderson]

On Fri, Sep 11, 2009 at 3:03 PM, Jim Myers <mye...@gmail.com> wrote:
> I have a requirement to serve static files only to users authenticated
> through Django secure login.

http://docs.djangoproject.com/en/dev/howto/apache-auth/

Gabe

[Jim Myers]

I had looked at that page before, but had thought it only applied to
mod_python.
Does it also apply to mod_wsgi? If so, the page could be made
clearer.

On Sep 11, 10:49 pm, Gabriel Gunderson <g...@gundy.org> wrote:

[Graham Dumpleton]

On Sep 13, 2:30 am, Jim Myers <myer...@gmail.com> wrote:
> I had looked at that page before, but had thought it only applied to
> mod_python.
> Does it also apply to mod_wsgi?  If so, the page could be made
> clearer.

It doesn't. Read instead:

http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms

This still will not help if wanting to secure pages using form/session
based login. Use the X-Accel-Redirect/X-Sendfile/Location response
headers instead as described elsewhere related to that future Django
patch.

Graham

[Lars Holm Nielsen]

Hi,

There's a couple of ways to do this, but none of them is really as
easy as using basic/digest authentication in apache.

Most of the methods posted until now passes the static file through
django or at least python, which might not be ideal depending on your
performance requirements.

Anyway, here are two more methods:

1) Use lighttpd with mod_secdownload (http://redmine.lighttpd.net/
projects/lighttpd/wiki/Docs:ModSecDownload). On the page there's an
example how to do it with django. Basically you just generate a token,
that only you django app and lighttpd server can generate. Bad thing
with this method, is that you don't have constant URLs.

2) Use Apache + mod_auth_tkt. mod_auth_tkt is a lightweight module,
that works nearly the same way as mod_secdownload. It just puts the
token in a cookie and can associate some strings with it (like user/
group etc). Then in apache, you just use a htaccess file to protect
your resources.

Other more complicated things you can look at is single sign-on
solutions for your webserver and django, but it usually starts to get
really complicated.

Cheers,
Lars

[Glenn Tenney]

I've got a similar, but slightly more complex need...

I need to serve some static files (pdfs etc.) to any authorized user,
other static files to members of group A (as in Django), and other
static files to members of group B. It would seem that I could
create some specific permission name for group A and another for
group B. I'll put each set of files into a unique directory / url as
need-be.

I was hoping that my friend who wrote the Django code for this site
would tweak this for me a couple of weeks ago since I haven't dealt
with the Django code for ages and ages and feel like I'm back to a
complete newbie.

So... the naive questions are:

1) how do I configure each different directory in Apache's conf file
to require a different permission name? (

2) where do I put the PythonOption directives ? e.g. DjangoPermissionName

3) in the example cited above, am I correct that I need to change
"mysite.settings" to whatever I set DJANGO_SETTINGS_MODULE to
actually?

4) is it really going to be just that simple... as described in that
howto? (he asks hopefully -- right now I need a simple "do this, then
that, then this")


Thanks

--
Glenn