Authentication using Django’s sessions db from Apache

Mohammad Hashemian

unread,

Oct 25, 2017, 6:22:41 PM10/25/17

to modwsgi

I have a Django application which I now want to integrate it with Kibana. So when authenticated users click on a link, they will be directed to Kibana. But this option should not be available to anonymous users.

My stack is Psql + Django + mod_wsgi + Apache. The solution I came up with was restricting access to Kibana via Apache, and authenticating users in Django before giving them access. This HowTo in Django website says how you can authenticate against Django from Apache, but that one uses Basic authentication. When I use this approach, even for users who already have an active session in my Django app, they will be asked to enter their username/password in a browser dialog!

I was hoping the authentication to happen using the current Django active sessions. I believe for that I need to use AuthType form and mod_session, instead of AuthType Basic. Is this correct? If yes, it seems mod_wsgi does not support mod_session yet (as discussed here). what would be the alternative then?

Graham Dumpleton

unread,

Oct 25, 2017, 8:24:38 PM10/25/17

to mod...@googlegroups.com

I played with this stuff a long time ago but my memory is bad as to what I worked out, so if you can be a bit patient and try some things for me, then we can perhaps work it out.

Referring to:

http://httpd.apache.org/docs/2.4/mod/mod_auth_form.html

The usual example of using mod_auth_form is to use:

<Location "/admin">
AuthFormProvider file
AuthUserFile "conf/passwd"
AuthType form
AuthName "/admin"
AuthFormLoginRequiredLocation "http://example.com/login.html"

Session On
SessionCookieName session path=/

Require valid-user
</Location>

Theoretically the next step would be to change this to:

<Location "/admin">
AuthFormProvider wsgi
WSGIAuthUserScript /some/path/auth.py application-group=%{GLOBAL}
AuthType form
AuthName "/admin"
AuthFormLoginRequiredLocation "http://example.com/login.html"

Session On
SessionCookieName session path=/

Require valid-user
</Location>

In other words, you use the authentication handler in mod_wsgi to work out whether the user can log in.

http://modwsgi.readthedocs.io/en/develop/user-guides/access-control-mechanisms.html#http-user-authentication

The Django example of how to implement that is:

https://docs.djangoproject.com/en/1.11/howto/deployment/wsgi/apache-auth/

As to the login form itself, rather than a static file, presumably this could be provided by the Django application. The form obviously should work when user is not logged in.

Where things now get a bit complicated is that you are using a cookie different to the normal Django cookie, when it uses form based login, so not sure how that marries up or whether it matters.

Also, because not using Django forms login, but doing it in Apache, then you need to setup Django as if authentication was being handled separately and you can trust REMOTE_USER value passed in, just the same as if using HTTP Basic authentication.

Last thing to mention is that the authentication handler has to run in embedded mode of mod_wsgi. You should still use daemon mode for main application.

If you can start to play with that then we can try and work through issues and work it out exactly.

Graham

Message has been deleted

Mohammad Hashemian

unread,

Oct 26, 2017, 7:29:12 PM10/26/17

to modwsgi

Thanks a lot, Graham. Very helpful. I actually could make it work. As you said, I added this to my httpd.conf:

<Location /dashboard/kibana>
    AuthType Form
    AuthFormProvider wsgi
    AuthName "test"
    ErrorDocument 401 /rel/path/to/httdp_signin/signin.html
    WSGIAuthUserScript /path/to/wsgi/wsgi.py
    WSGIAuthGroupScript /path/to/wsgi/wsgi.py
    <RequireAll>
        Require wsgi-group myGroup
        Require valid-user
    </RequireAll>
    Session On
    SessionCookieName httpdsessionid path=/
</Location>

Now how it works is like this:

1. User is logged in Django app and clicks to access the second app (in this case, Kibana)

2. Kibana is protected by Apache's authentication, and user is not authenticated with Apache, so error 401 will navigate the user to the signin.html page

3. User has to enter username/password again (not ideal but a lot better than alternatives I've found so far)

4. A new session/cookie is created for the user, which as you said, is different than the session user had with Django.

5. Now the user can navigate to Kibana

This is now working, but I don't know much about embedded vs. daemon mode, unfortunately. I will have to read a bit about those and make sure that setting is also done correctly.

Thanks again for your time,

Mohammad

Graham Dumpleton

unread,

Oct 26, 2017, 9:52:47 PM10/26/17

to mod...@googlegroups.com

On 27 Oct 2017, at 10:29 am, Mohammad Hashemian <m.has...@gmail.com> wrote:

Thanks a lot, Graham. Very helpful. I actually could make it work. As you said, I added this to my httpd.conf:

<Location /dashboard/kibana> AuthType Form AuthFormProvider wsgi AuthName "test" ErrorDocument 401 /rel/path/to/httdp_signin/signin.html WSGIAuthUserScript /path/to/wsgi/wsgi.py WSGIAuthGroupScript /path/to/wsgi/wsgi.py <RequireAll> Require wsgi-group myGroup Require valid-user </RequireAll> Session On SessionCookieName httpdsessionid path=/ </Location>

Now how it works is like this:

1. User is logged in Django app and clicks to access the second app (in this case, Kibana)
2. Kibana is protected by Apache's authentication, and user is not authenticated with Apache, so error 401 will navigate the user to the signin.html page
3. User has to enter username/password again (not ideal but a lot better than alternatives I've found so far)

That sounds like you are still relying on Django form login.

As I understand it, what you need to do is disable Django forms login and for Django access they should also use the Apache form login. When a request then passes through to Django, you should be having Django trust REMOTE_USER and use that to establish the login session information from Django. There is some details of doing it in:

https://docs.djangoproject.com/en/1.11/howto/auth-remote-user/

4. A new session/cookie is created for the user, which as you said, is different than the session user had with Django.
5. Now the user can navigate to Kibana

This is now working, but I don't know much about embedded vs. daemon mode, unfortunately. I will have to read a bit about those and make sure that setting is also done correctly.

Thanks again for your time,
Mohammad

--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To post to this group, send email to mod...@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.

Mohammad Hashemian

unread,

Oct 26, 2017, 10:10:00 PM10/26/17

to modwsgi

I see what you mean. That makes sense. I will try this soon.

Thanks

Reply all

Reply to author

Forward