Basic Authentication on mod_wsgi
I’m currently in the process of creating an iPhone app for Inzolo. This requires an API of course. I wanted to take advantage of what was currently available for Django and I came across wapi. Time is of the essence so I decided to take the easiest route and use basic authentication for now. (I’m still learning about API best practices).
I got some basic API calls working in my local machine running “manage.py runserver”. Once I pushed it live, the basic authentication would not work. I’m hosting with Webfaction so I posted to the forum for help and continued to look.
I wasn’t making progress at all so I started looking for another API framework and learned of Piston. In hindsight I would have started here because it was developed by bitbucket.org and it seems it will have much longer longevity.
In any case, while reading the docs for Piston I saw this note:
Note: that using
piston.authentication.HttpBasicAuthenticationwith apache and mod_wsgi requires you to add theWSGIPassAuthorization Ondirective to the server or vhost config, otherwise django-piston cannot read the authentication data fromHTTP_AUTHORIZATIONinrequest.META. See: http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPassAuthorization.
That was the clue I needed! I added this one-liner to apache config and… still didn’t work. 
I then went through the process of upgrading. I was running Django (1.0.2)/mod_wsgi (2.0)/Python (2.5), I upgraded to Django (1.1.1)/mod_wsgi (2.5)/Python (2.5). Now, with the “WSGIPassAuthorization On” it works.
Related posts:
- Webfaction Review I was looking at my web stats and noticed I...
- Django cron on Webfaction James Bennett addresses one of the most frequently asked questions...
- One Click Django Project Publishing I was reading The Joel Test and I got to...
Related posts brought to you by Yet Another Related Posts Plugin.
January 11, 2010
Tags: api, authentication, basic auth, djanog, mod_wsgi, piston, wapi, webfaction, wsgi Posted in: Programming & Internet
10 Responses
FWIW, WSGIPassAuthorization has always existed with mod_wsgi and there is no reason it shouldn’t have worked with the older version.
@Graham – you’re the man! I have never seen someone as singly dedicated to an open source project and pro-actively helpful.
I was looking at the documentation and from all I could tell it should have worked with 2.0. My only guess is that there were perhaps some other settings that had changed with the new setup, or perhaps Django itself had an issue. I would be curious to hear if anyone else has had similar issues.
It was good to have a reason to upgrade Django anyway.
Glad you found (and hopefully like) Piston. Let me know if you have any questions.
Sometimes the quickest and easiest route is the best. Sometimes, for me anyway, it can be hard not to reinvent the wheel though, especially if you think you can do it better.
I know how frustrating that whole hindsight thing can be too. Just this weekend, I spent a few hours trying to install Windows in a virtual machine, with a bad CD.
It would have only normally taken about 30 minutes, but at least 25% of the files on the cd were corrupt. After fighting it for a few hours and using two different Windows CDs, I got it installed. However, afterwards, I thought of a better way to install it that would have probably not taken too much longer than a traditional install.
Daemon mode of mod_wsgi will however only be available on Apache 2.0 or 2.2 running on UNIX, and only when the Apache runtime library underlying Apache has been compiled with support for threading.
I sometimes use HTTP (Basic) Authentication to authenticate requests to an API of a website. Using cookie and form-based authentication for an API which will be used programmatically is generally a PITA. If the views are exposed via HTTPS (SSL/TLS encrypted) then I see no problem in using HTTP Basic Authentication.
There is a good snippet available on djangosnippets.org, which implements a decorator for protecting individual views with HTTP Basic Authentication. You can see the code here: Snippet 243.
(most often Microsoft Internet Explorer) in the border of the viewable screen as the visitor is viewing your website. This serves as an anchor so that the visitor knows where he or she is on your website. For this reason, titles need to clearly relate to their page and should include bread crumb or mouse trail information if there is space available. Microsoft’s browser, called Internet Explorer, displays the first 95 characters of your title tag. For title tags longer than 95 characters, Internet Explorer will simply crop the tag, as you can see it has done to the title of this Web page.
A good companion may be the require_POST decorator from django.views.decorators.http, which you can use on (api-) views, which only alter data and therefore should only receive HTTP POST requests. Decorators can be stacked, so you can write:
@require_POST
@logged_in_or_basicauth()
def api_view(request):
The decorator will handle all the details of the HTTP Basic Authentication for you, so now let’s get back to the reason, why I’m writing this text: If you want to use this method to protect your views and you host your Django project on Apache with mod_wsgi, you have to add one setting to your Apache configuration:
WSGIPassAuthorization On
Leave a Reply