1
=========================================================
2
Authenticating against Django's user database from Apache
3
=========================================================
5
Since keeping multiple authentication databases in sync is a common problem when
6
dealing with Apache, you can configure Apache to authenticate against Django's
7
:doc:`authentication system </topics/auth/index>` directly. This requires Apache
8
version >= 2.2 and mod_wsgi >= 2.0. For example, you could:
10
* Serve static/media files directly from Apache only to authenticated users.
12
* Authenticate access to a Subversion_ repository against Django users with
15
* Allow certain users to connect to a WebDAV share created with mod_dav_.
18
If you have installed a :ref:`custom User model <auth-custom-user>` and
19
want to use this default auth handler, it must support an `is_active`
20
attribute. If you want to use group based authorization, your custom user
21
must have a relation named 'groups', referring to a related object that has
22
a 'name' field. You can also specify your own custom mod_wsgi
23
auth handler if your custom cannot conform to these requirements.
25
.. _Subversion: http://subversion.tigris.org/
26
.. _mod_dav: http://httpd.apache.org/docs/2.2/mod/mod_dav.html
28
Authentication with mod_wsgi
29
============================
31
Make sure that mod_wsgi is installed and activated and that you have
32
followed the steps to setup
33
:doc:`Apache with mod_wsgi </howto/deployment/wsgi/modwsgi>`
35
Next, edit your Apache configuration to add a location that you want
36
only authenticated users to be able to view:
38
.. code-block:: apache
40
WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
42
WSGIProcessGroup %{GLOBAL}
43
WSGIApplicationGroup django
49
AuthBasicProvider wsgi
50
WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py
53
The ``WSGIAuthUserScript`` directive tells mod_wsgi to execute the
54
``check_password`` function in specified wsgi script, passing the user name and
55
password that it receives from the prompt. In this example, the
56
``WSGIAuthUserScript`` is the same as the ``WSGIScriptAlias`` that defines your
57
application :doc:`that is created by django-admin.py startproject
58
</howto/deployment/wsgi/index>`.
60
.. admonition:: Using Apache 2.2 with authentication
62
Make sure that ``mod_auth_basic`` and ``mod_authz_user`` are loaded.
64
These might be compiled statically into Apache, or you might need to use
65
LoadModule to load them dynamically in your ``httpd.conf``:
67
.. code-block:: apache
69
LoadModule auth_basic_module modules/mod_auth_basic.so
70
LoadModule authz_user_module modules/mod_authz_user.so
72
Finally, edit your WSGI script ``mysite.wsgi`` to tie Apache's
73
authentication to your site's authentication mechanisms by importing the
76
.. code-block:: python
81
os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'
83
from django.contrib.auth.handlers.modwsgi import check_password
85
from django.core.handlers.wsgi import WSGIHandler
86
application = WSGIHandler()
89
Requests beginning with ``/secret/`` will now require a user to authenticate.
91
The mod_wsgi `access control mechanisms documentation`_ provides additional
92
details and information about alternative methods of authentication.
94
.. _access control mechanisms documentation: http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms
96
Authorization with mod_wsgi and Django groups
97
---------------------------------------------
99
mod_wsgi also provides functionality to restrict a particular location to
102
In this case, the Apache configuration should look like this:
104
.. code-block:: apache
106
WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
108
WSGIProcessGroup %{GLOBAL}
109
WSGIApplicationGroup django
113
AuthName "Top Secret"
114
AuthBasicProvider wsgi
115
WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py
116
WSGIAuthGroupScript /path/to/mysite.com/mysite/wsgi.py
117
Require group secret-agents
121
To support the ``WSGIAuthGroupScript`` directive, the same WSGI script
122
``mysite.wsgi`` must also import the ``groups_for_user`` function which
123
returns a list groups the given user belongs to.
125
.. code-block:: python
127
from django.contrib.auth.handlers.modwsgi import check_password, groups_for_user
129
Requests for ``/secret/`` will now also require user to be a member of the
130
"secret-agents" group.