Django has its own built-in authentication mechanism, which is documented on the Django website. Personally, I prefer to use Apache's authentication, simply because it means you can authenticate your Django users against any Apache auth mechanism.
What this means is you're not forced to create yet another user/password database when you install a Django app, or struggle to integrate the new program with your existing systems. This makes your technology easier to manage and more secure, because you can disable or lock accounts easily.
Creating the code
Here's the module I use to check a user's credentials against Apache's authentication:
from django.db import models
from django.contrib.auth.models import User as DjangoUser, check_password
from django.contrib.auth import authenticate, login
from django.shortcuts import render_to_response
from django.conf import settings
from django.http import Http404
def http_login(request):
if settings.DISABLE_AUTH:
rem_user = 'surftrackr'
else:
rem_user = request.META['REMOTE_USER']
if (rem_user == None): raise Http404
try:
django_user = DjangoUser.objects.get(username=rem_user)
except DjangoUser.DoesNotExist:
pw = DjangoUser.objects.make_random_password(length=10, allowed_chars='abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789')
django_user = DjangoUser.objects.create_user(username=rem_user, email=rem_user + '@example.com', password=pw)
django_user.is_staff = True
django_user.is_superuser = True
django_user.save()
if django_user.is_active:
django_user.backend='django.contrib.auth.backends.ModelBackend'
login(request, django_user)
return django_user
else:
raise Http404
def account_not_found(request):
http_auth_name = request.META['REMOTE_USER']
return render_to_response('httpauth/locked.html', locals())
def check_login(request):
user = http_login(request)
if not user: return account_not_found(request)
def check_is_staff(request):
user = http_login(request)
if not user.is_staff: return account_not_found(request)
I created this in the models.py file in an app called httpauth in my project (it's included in the latest Surftrackr if you need to know more). Most of the action takes place in http_login, which first checks in the settings.py file to see if authentication is being used (settings.DISABLE_AUTH). If it isn't (maybe because it's not enabled in Apache) a default user of 'surftrackr' is used. You can either create a default user yourself (using whatever name you want; don't forget to change the value in the code) in the admin interface in Django, or (as I do) set up the code to create that user if it doesn't exist already.
After that, the REMOTE_USER value from Apache is checked, and (if not found) I felt it reasonable to return a 404 error - since settings.py evidently enables auth, but no authentication is in fact present in Apache.
The try: ... except: block in http_login checks if the user exists in the Django user database, and (if not) creates the user with a random password and default email address. You could change "@example.com" to the value for your domain, if you need to use the email address for any real purpose (I include it only because Django requires it). The password is random because you'll quite possibly never need it. If you do, change it in the admin interface. Note that you can also create users in advance, if you know their username, in the admin, and set the password as required.
You'll notice that newly-created users are given the is_staff and is_superuser attributes, which again can be adjusted to your requirements. In the context of my program, Surftrackr, this is appropriate but might not be for your application.
There are a couple of utility functions like account_not_found and check_login, which you can call as required or (for the most part) ignore because you probably won't need them
Authenticating in views
Then, from any Django view which needs to be authenticated, I first import the model:
from surftrackr.httpauth.models import *
The code is invoked like this:
def front_page(request):
duser_obj = http_login(request)
If the user is authenticated, he'll get the view, and if not he'll get the HTML page specified in the account_not_found procedure.
And that's probably as much as you need to know! Just set up Apache's authentication (using anything from basic to LDAP to MySQL), make sure it works, and plug the code above into your project. If you need to see all the code in its context, download Surftrackr and (of course) install it on all your systems and tell your friends about it *8)