[英]SLL authenticate from apache in Django
我想使用x509证书中的信息对用户进行身份验证... Apache似乎可以进行身份验证,但是Django中没有REMOTE_USER内容。 不知道为什么。
apache的配置:
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/apache2/ssl/ca.cer
SSLOptions +StdEnvVars +ExportCertData
<Directory />
Options FollowSymLinks
AllowOverride None
SSLOptions +StdEnvVars
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
WSGIDaemonProcess rmc_wsgi processes=2 threads=15 display-name=%{GROUP}
WSGIScriptAlias /rmc /home/xxx/projects/rmc/rmc/wsgi.py
<Location /rmc>
WSGIProcessGroup rmc_wsgi
</Location>
</VirtualHost>
中间件:
class CorrectRemoteUserMiddleware(RemoteUserMiddleware):
header = "HTTP_REMOTE_USER"
后端
class RemoteUserBackendNoCreate(RemoteUserBackend):
create_unknown_user = True
def authenticate(self, remote_user):
user = super(self.__class__, self).authenticate(remote_user)
print >> sys.stderr, ("AuthBackend: REMOTE_USER=" + remote_user + "AuthBackend: User=" + user)
print >> sys.stderr, 'in authenticate'
return user
settings.py:
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'webrecif.middleware.CorrectRemoteUserMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.RemoteUserMiddleware',
)
AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.RemoteUserBackend',
'webrecif.backends.RemoteUserBackendNoCreate',
)
TEMPLATE_CONTEXT_PROCESSORS = (
'django.contrib.auth.context_processors.auth',
'django.core.context_processors.static',
)
我认为您想将SSLUserName SSL_CLIENT_S_DN_CN添加到您的apache ssl conf; 按照http://httpd.apache.org/docs/2.2/mod/mod_ssl.html进行设置,这会将REMOTE_USER设置为USER的公用名。 (取决于您支持的许多证书,您可能希望使用DN来保证唯一性)。 如果您的DN或CN超过Django用户名字符串长度,则可能还需要添加一些修改。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.