Login

Basic HTTP Authentication

Author:
pterk
Posted:
February 28, 2007
Language:
Python
Version:
Pre .96
Tags:
middleware django http basic authentication
Score:
-1 (after 1 ratings)

A patch (against django svn trunk 4649) that allows users to log in with Basic HTTP Authentication i.s.o. login forms using some simple middleware (entire patch is ~50 lines). I was unaware of http://code.djangoproject.com/wiki/GenericAuthorization so I'm not sure about its usefulness in the long run.

You can enable it by including 'django.contrib.auth.middleware.BasicAuthenticationMiddleware' in your MIDDLEWARE_CLASSES and then adding the following lines in your settings.py:

BASIC_WWW_AUTHENTICATION = True

WWW_AUTHENTICATION_REALM = "djangolures.com"

Updated: See also http://code.djangoproject.com/ticket/3609 (patch now availble here as well).

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
Index: django/contrib/admin/views/decorators.py
===================================================================
--- django/contrib/admin/views/decorators.py    (revision 4649)
+++ django/contrib/admin/views/decorators.py    (working copy)
@@ -2,6 +2,7 @@
 from django.conf import settings
 from django.contrib.auth.models import User
 from django.contrib.auth import authenticate, login
+from django.contrib.auth.middleware import basic_challenge
 from django.shortcuts import render_to_response
 from django.utils.translation import gettext_lazy
 import base64, datetime, md5
@@ -11,6 +12,8 @@
 LOGIN_FORM_KEY = 'this_is_the_login_form'

 def _display_login_form(request, error_message=''):
+    if getattr(settings, 'BASIC_WWW_AUTHENTICATION', False):
+        return basic_challenge()
     request.session.set_test_cookie()
     if request.POST and request.POST.has_key('post_data'):
         # User has failed login BUT has previously saved post data.
Index: django/contrib/auth/middleware.py
===================================================================
--- django/contrib/auth/middleware.py   (revision 4649)
+++ django/contrib/auth/middleware.py   (working copy)
@@ -1,3 +1,40 @@
+from django.conf import settings
+from django.http import HttpResponse
+
+from django.contrib.auth import authenticate, login, logout
+
+def basic_challenge(realm = None):
+    if realm is None:
+        realm = getattr(settings, 'WWW_AUTHENTICATION_REALM', _('Restricted Access'))
+    # TODO: Make a nice template for a 401 message?
+    response =  HttpResponse(_('Authorization Required'), mimetype="text/plain")
+    response['WWW-Authenticate'] = 'Basic realm="%s"' % (realm)
+    response.status_code = 401
+    return response
+
+def basic_authenticate(authentication):
+    # Taken from paste.auth
+    (authmeth, auth) = authentication.split(' ',1)
+    if 'basic' != authmeth.lower():
+        return None
+    auth = auth.strip().decode('base64')
+    username, password = auth.split(':',1)
+    return authenticate(username = username, password = password)
+
+class BasicAuthenticationMiddleware:
+    def process_request(self, request):
+        if not getattr(settings, 'BASIC_WWW_AUTHENTICATION', False):
+            return None
+        if not request.META.has_key('HTTP_AUTHORIZATION'):
+            # If the user out of the session as well
+            logout(request)
+            return None
+        user =  basic_authenticate(request.META['HTTP_AUTHORIZATION'])
+        if user is None:
+            return basic_challenge()
+        else:
+            login(request, user)
+
 class LazyUser(object):
     def __get__(self, request, obj_type=None):
         if not hasattr(request, '_cached_user'):
Index: django/contrib/auth/views.py
===================================================================
--- django/contrib/auth/views.py        (revision 4649)
+++ django/contrib/auth/views.py        (working copy)
@@ -35,6 +35,12 @@
     "Logs out the user and displays 'You are logged out' message."
     from django.contrib.auth import logout
     logout(request)
+
+    # This 'works' as a way to log out users but it is confusing. You
+    # log out and it asks for your credentials again?
+    #if not getattr(settings, 'BASIC_WWW_AUTHENTICATION', False):
+    #    from middleware import basic_challenge
+    #    return basic_challenge()
     if next_page is None:
         return render_to_response(template_name, {'title': _('Logged out')}, context_instance=RequestContext(request))
     else:
Index: django/contrib/auth/decorators.py
===================================================================
--- django/contrib/auth/decorators.py   (revision 4649)
+++ django/contrib/auth/decorators.py   (working copy)
@@ -1,3 +1,5 @@
+from django.conf import settings
+
 from django.contrib.auth import LOGIN_URL, REDIRECT_FIELD_NAME
 from django.http import HttpResponseRedirect
 from urllib import quote
@@ -2,2 +4,4 @@

+from django.contrib.auth.middleware import basic_challenge
+
 def user_passes_test(test_func, login_url=LOGIN_URL):
@@ -12,10 +16,12 @@
         def _checklogin(request, *args, **kwargs):
             if test_func(request.user):
                 return view_func(request, *args, **kwargs)
-            return HttpResponseRedirect('%s?%s=%s' % (login_url, REDIRECT_FIELD_NAME, quote(request.get_full_path())))
+            if getattr(settings, 'BASIC_WWW_AUTHENTICATION', False):
+                return basic_challenge()
+            else:
+                return HttpResponseRedirect('%s?%s=%s' % (login_url, REDIRECT_FIELD_NAME, quote(request.get_full_path())))
         _checklogin.__doc__ = view_func.__doc__
         _checklogin.__dict__ = view_func.__dict__
-
         return _checklogin
     return _dec

More like this

  1. Basic Auth Middleware by joshsharp 3 years, 9 months ago
  2. Django BasicAuthMixin by icrni 9 months, 3 weeks ago
  3. I18n URLs via Middleware by zerok 7 years, 7 months ago
  4. Use email addresses for user name by chris 8 years ago
  5. MaxMind(R) GeoIP Lite geolocation models by jbronn 7 years, 8 months ago

Comments

Please login first before commenting.