/docs/howto/apache-auth.txt
Plain Text | 127 lines | 94 code | 33 blank | 0 comment | 0 complexity | b219d74acb908f16d036934c8c6cada7 MD5 | raw file
Possible License(s): BSD-3-Clause
1=========================================================
2Authenticating against Django's user database from Apache
3=========================================================
4
5.. warning::
6
7 Support for mod_python has been deprecated within Django. At that
8 time, this method of authentication will no longer be provided by
9 Django. The community is welcome to offer its own alternate
10 solutions using WSGI middleware or other approaches.
11
12Since keeping multiple authentication databases in sync is a common problem when
13dealing with Apache, you can configuring Apache to authenticate against Django's
14:doc:`authentication system </topics/auth>` directly. For example, you
15could:
16
17 * Serve static/media files directly from Apache only to authenticated users.
18
19 * Authenticate access to a Subversion_ repository against Django users with
20 a certain permission.
21
22 * Allow certain users to connect to a WebDAV share created with mod_dav_.
23
24.. _Subversion: http://subversion.tigris.org/
25.. _mod_dav: http://httpd.apache.org/docs/2.0/mod/mod_dav.html
26
27Configuring Apache
28==================
29
30To check against Django's authorization database from a Apache configuration
31file, you'll need to use mod_python's ``PythonAuthenHandler`` directive along
32with the standard ``Auth*`` and ``Require`` directives:
33
34.. code-block:: apache
35
36 <Location /example/>
37 AuthType Basic
38 AuthName "example.com"
39 Require valid-user
40
41 SetEnv DJANGO_SETTINGS_MODULE mysite.settings
42 PythonAuthenHandler django.contrib.auth.handlers.modpython
43 </Location>
44
45.. admonition:: Using the authentication handler with Apache 2.2
46
47 If you're using Apache 2.2, you'll need to take a couple extra steps.
48
49 You'll need to ensure that ``mod_auth_basic`` and ``mod_authz_user``
50 are loaded. These might be compiled statically into Apache, or you might
51 need to use ``LoadModule`` to load them dynamically (as shown in the
52 example at the bottom of this note).
53
54 You'll also need to insert configuration directives that prevent Apache
55 from trying to use other authentication modules, as well as specifying
56 the ``AuthUserFile`` directive and pointing it to ``/dev/null``. Depending
57 on which other authentication modules you have loaded, you might need one
58 or more of the following directives:
59
60 .. code-block:: apache
61
62 AuthBasicAuthoritative Off
63 AuthDefaultAuthoritative Off
64 AuthzLDAPAuthoritative Off
65 AuthzDBMAuthoritative Off
66 AuthzDefaultAuthoritative Off
67 AuthzGroupFileAuthoritative Off
68 AuthzOwnerAuthoritative Off
69 AuthzUserAuthoritative Off
70
71 A complete configuration, with differences between Apache 2.0 and
72 Apache 2.2 marked in bold, would look something like:
73
74 .. parsed-literal::
75
76 **LoadModule auth_basic_module modules/mod_auth_basic.so**
77 **LoadModule authz_user_module modules/mod_authz_user.so**
78
79 ...
80
81 <Location /example/>
82 AuthType Basic
83 AuthName "example.com"
84 **AuthUserFile /dev/null**
85 **AuthBasicAuthoritative Off**
86 Require valid-user
87
88 SetEnv DJANGO_SETTINGS_MODULE mysite.settings
89 PythonAuthenHandler django.contrib.auth.handlers.modpython
90 </Location>
91
92By default, the authentication handler will limit access to the ``/example/``
93location to users marked as staff members. You can use a set of
94``PythonOption`` directives to modify this behavior:
95
96 ================================ =========================================
97 ``PythonOption`` Explanation
98 ================================ =========================================
99 ``DjangoRequireStaffStatus`` If set to ``on`` only "staff" users (i.e.
100 those with the ``is_staff`` flag set)
101 will be allowed.
102
103 Defaults to ``on``.
104
105 ``DjangoRequireSuperuserStatus`` If set to ``on`` only superusers (i.e.
106 those with the ``is_superuser`` flag set)
107 will be allowed.
108
109 Defaults to ``off``.
110
111 ``DjangoPermissionName`` The name of a permission to require for
112 access. See :ref:`custom permissions
113 <custom-permissions>` for more
114 information.
115
116 By default no specific permission will be
117 required.
118 ================================ =========================================
119
120Note that sometimes ``SetEnv`` doesn't play well in this mod_python
121configuration, for reasons unknown. If you're having problems getting
122mod_python to recognize your ``DJANGO_SETTINGS_MODULE``, you can set it using
123``PythonOption`` instead of ``SetEnv``. Therefore, these two Apache directives
124are equivalent::
125
126 SetEnv DJANGO_SETTINGS_MODULE mysite.settings
127 PythonOption DJANGO_SETTINGS_MODULE mysite.settings