First of all, it is a document fishing to get an overview of "ticket authentication" provided by mod_auth_tkt. However, there is not much documentation for both modules.
However, the information contained in the cookie itself is simple, so it didn't seem too much trouble.
It's the main source of information ...
In this article, I will write only an overview.
Ticket issuers (this time on django's site) and ticket consumers (this time on a specific Apache directory) Share the following:
While sharing these two, the ticket issuer
Save the ticket as a cookie based on. They are listed side by side, but to explain it properly, the "common secret" and "hash algorithm" are necessary when making a ticket. On the other hand, "user name" and "IP address" are the information contained in the ticket (cookie).
Apache uses the name of the cookie and a common secret to verify the ticket and
Confirm such as, and perform authentication / authorization.
You can specify multiple Tokens on both sides (it is not necessary). If the consumer of the "admin" Token expects, The issuer must have the "admin" Token embedded in the ticket. I think we can achieve some access control. (However, since I can only have one common secret, it feels like something is crazy even if I do a Gatchigachi ACL with this.)
It seems that you can specify the validity range and expiration date of the ticket in some detail, It is not the scope of this article.
# apt-get install mod_auth_tkt
# pip install -U AuthTkt
There are quite a few examples on the mod_auth_tkt man page, so I think it's better to see it ...
TKTAuthSecret "Ukaga"
<Directory /opt/griflet/data/result/>
AuthType None
TKTAuthLoginURL http://example.com/django/issue_ticket
TKTAuthDomain example.com
TKTAuthDebug 3
</Directory>
For Debian, there is a section in /etc/apache2/mods-enabled/auth_tkt.conf that is expected to write a TKTAuthSecret.
If TKTAuthDebug is attached, an error will appear in error.log. All explanations are thrown to man pages.
In particular, there is a high possibility that the cookie settings are rather sloppy, but for the time being. (urls.py or everything else omitted)
@login_required
def issue_ticket(request):
user = request.user
# http://stackoverflow.com/questions/4581789/how-do-i-get-user-ip-address-in-django
ip = utils.get_client_ip(request)
token = authtkt.AuthTicket(TKT_AUTH_SECRET,
user.username,
ip,
tokens=['user'])
# TODO:Let's Redirect
response = render(request, '{}/hello.html'.format(NAMESPACE), {})
response.set_cookie('auth_tkt', token.cookie_value(),
domain=TKT_AUTH_DOMAIN)
return response
Although it is written in TODO, when you access "TKTAuthLoginURL" without a ticket, you will be redirected to this page with the return URL "back" set in the query. Let's redirect for the user
There are a lot of confusing modules, especially on the Python implementation side
Please decide which one is better. However, if the specifications on the consumer side (Apache) have not changed, there should be virtually no difference in what to do.
It seems that there are many people who think that the small scale that we are thinking about this time is okay, but that it is a large scale.
It will be easier to find out if you remember that you can do that as well.
As a result of a little more research, I also report that it did not suit my purpose.
For example, suppose you build a django website that dynamically creates and disappears multiple projects (for example, project management). At that time, I would like to issue different types of tickets for each project and change the files that can be downloaded according to the type of ticket.
This cannot be done with Apache mod_auth_tkt alone.
Specifically, the current implementation of mod_auth_tkt does not allow variables in TKTAuthToken in any way. Even if you set the environment variable of Apache with SetEnvIf, it seems that you can not get it at least in the verified version. I looked at the source code, but again there is no logic to handle it.
I heard about X-SendFile, so I'll try it.
Recommended Posts