> On 26 Oct 2017, at 3:53 am, Mohammad Hashemian <[email protected]> wrote:
>
> I have a Django application which I now want to integrate it with Kibana. So
> when authenticated users click on a link, they will be directed to Kibana.
> But this option should not be available to anonymous users.
>
>
>
> My stack is Psql + Django + mod_wsgi + Apache. The solution I came up with
> was restricting access to Kibana via Apache, and authenticating users in
> Django before giving them access. This HowTo
> <https://docs.djangoproject.com/en/1.11/howto/deployment/wsgi/apache-auth/>
> in Django website says how you can authenticate against Django from Apache,
> but that one uses Basic authentication. When I use this approach, even for
> users who already have an active session in my Django app, they will be asked
> to enter their username/password in a browser dialog!
>
>
>
> I was hoping the authentication to happen using the current Django active
> sessions. I believe for that I need to use AuthType form and mod_session,
> instead of AuthType Basic. Is this correct? If yes, it seems mod_wsgi does
> not support mod_session yet (as discussed here
> <https://github.com/GrahamDumpleton/mod_wsgi/pull/41>). what would be the
> alternative then?
>
I played with this stuff a long time ago but my memory is bad as to what I
worked out, so if you can be a bit patient and try some things for me, then we
can perhaps work it out.
Referring to:
http://httpd.apache.org/docs/2.4/mod/mod_auth_form.html
<http://httpd.apache.org/docs/2.4/mod/mod_auth_form.html>
The usual example of using mod_auth_form is to use:
<Location "/admin">
AuthFormProvider file
AuthUserFile "conf/passwd"
AuthType form
AuthName "/admin"
AuthFormLoginRequiredLocation "http://example.com/login.html";
Session On
SessionCookieName session path=/
Require valid-user
</Location>
Theoretically the next step would be to change this to:
<Location "/admin">
AuthFormProvider wsgi
WSGIAuthUserScript /some/path/auth.py application-group=%{GLOBAL}
AuthType form
AuthName "/admin"
AuthFormLoginRequiredLocation "http://example.com/login.html";
Session On
SessionCookieName session path=/
Require valid-user
</Location>
In other words, you use the authentication handler in mod_wsgi to work out
whether the user can log in.
http://modwsgi.readthedocs.io/en/develop/user-guides/access-control-mechanisms.html#http-user-authentication
<http://modwsgi.readthedocs.io/en/develop/user-guides/access-control-mechanisms.html#http-user-authentication>
The Django example of how to implement that is:
https://docs.djangoproject.com/en/1.11/howto/deployment/wsgi/apache-auth/
<https://docs.djangoproject.com/en/1.11/howto/deployment/wsgi/apache-auth/>
As to the login form itself, rather than a static file, presumably this could
be provided by the Django application. The form obviously should work when user
is not logged in.
Where things now get a bit complicated is that you are using a cookie different
to the normal Django cookie, when it uses form based login, so not sure how
that marries up or whether it matters.
Also, because not using Django forms login, but doing it in Apache, then you
need to setup Django as if authentication was being handled separately and you
can trust REMOTE_USER value passed in, just the same as if using HTTP Basic
authentication.
Last thing to mention is that the authentication handler has to run in embedded
mode of mod_wsgi. You should still use daemon mode for main application.
If you can start to play with that then we can try and work through issues and
work it out exactly.
Graham
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.
