source: mauRepo/dj_security_middleware/tags/v_0_0_7/dj_security_middleware/README @ 8706

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/mauRepo/dj_security_middleware/tags/v_0_0_7/dj_security_middleware/README@8706
Revision 8706, 3.6 KB checked in by mnagni, 7 years ago (diff)

Encodes base64 the GET's parameters

Line 
1Adds a layer to interact with a paste enabled, Django based, security service
2typically a dj_security app.
3
4The dj_security_middleware.middleware.DJ_Security_Middleware checks two cases:
51) if the HTTP request contains a cookie called 'auth_tkt'
62) the underlying application defines a function returning a not None value
7(see DJ_SECURITY_AUTH_CHECK).
8If none of the previous is verified the middleware redirect the request to
9the DJ_SECURITY_LOGIN_SERVICE
10 
11If the authentication succeeds the DJ_SECURITY_LOGIN_SERVICE sets the 'auth_tkt' cookie,
12which is caught by the middleware which:
13a) reads the informations in the cookie and copies them into the request
14'authenticated_user' parameter
15b) deletes the 'auth_tkt' cookie for security reasons.
16The request 'authenticated_user' parameter contains all the user information
17returned by the authentication service and from this moment the underlying
18application is responsible for them.
19
20The configuration is quite straightforward. In your Django app settings.py add:
21
221) 'dj_security_middleware.middleware.DJ_Security_Middleware' to MIDDLEWARE_CLASSES
23
242) DJ_SECURITY_LOGIN_SERVICE to specify where the URL where authentication service
25is listening (say http://my.domain.ac.uk/login)
26
273) DJ_SECURITY_SHAREDSECRET to specify the secret key used by the authentication
28service to encrypt the 'auth_tkt' cookie (say 'sharedsecret')
29
304) DJ_SECURITY_FILTER (optional) is a list of URL paths which are secured
31by the middleware, that is if a request URL matches any in DJ_SECURITY_FILTER
32the middleware will verify if the user is authenticated or not.
33If the parameter is absent all the required paths will be secured.
34More specifically the middleware will trust
35 - all the patterns equal to a given path
36 - all the patterns equal or below a given path
37Example:
38-------------------------------------------------------------------------
39# If not already authenticated redirects to the DJ_SECURITY_LOGIN_SERVICE
40DJ_SECURITY_FILTER = [] 
41
42If not already authenticated redirects to the DJ_SECURITY_LOGIN_SERVICE
43all the paths starting with "/my_ceda"
44DJ_SECURITY_FILTER = ['/my_ceda'] 
45
46If not already authenticated redirects to the DJ_SECURITY_LOGIN_SERVICE
47all the paths starting with "/my_ceda/my_page" but not path like "/my_ceda"
48DJ_SECURITY_FILTER = ['/my_ceda/my_page']
49
50Equivalent to ['/my_ceda']
51DJ_SECURITY_FILTER = ['/my_ceda/my_page', '/my_ceda']
52
53If not already authenticated redirects to the DJ_SECURITY_LOGIN_SERVICE
54all the paths starting with regular expression "/my_ceda/[1-2]", that is
55'my_ceda/1_test' will be secured, 'my_ceda/3_test' will be not
56DJ_SECURITY_FILTER = ['/my_ceda/[1-2]']
57-------------------------------------------------------------------------
58
595) DJ_SECURITY_AUTH_CHECK (optional) is a function which returns a boolean
60shall accept one parameter where the middleware will pass the HTTPRequest.
61If the function raises an exception, returns False or None the middleware forces
62the user to authenticate through the DJ_SECURITY_LOGIN_SERVICE.
63This functions may be usefull even in two further situations:
64a) enable/disable the middleware (an almost empty function which simply returns True/False)
65b) append to the HTTPRequest further, application related, parameters
66Example:
67--------------------------------
68DJ_SECURITY_AUTH_CHECK = my_auth
69
70def my_auth(request):
71        return True
72--------------------------------
73
745) DJ_MIDDLEWARE_IP (optional) to specify the client machine where the middleware is installed
75(say '123.456.7.8'). The reason for this is that the client machine could be behind
76a proxy and in this case the authentication service uses the remote machine IP,
77the proxy in this case, to encrypt the cookie.
Note: See TracBrowser for help on using the repository browser.