diff --git a/AUTHORS b/AUTHORS index 0e0b7fdabde..0d0f454e256 100644 --- a/AUTHORS +++ b/AUTHORS @@ -308,6 +308,7 @@ answer newbie questions, and generally made Django that much better: James Wheare Jannis Leidel Janos Guljas + Jan Pazdziora Jan Rademaker Jarek Zgoda Jason Davies (Esaj) diff --git a/django/contrib/auth/middleware.py b/django/contrib/auth/middleware.py index 02c7b26298a..e13eb5374b6 100644 --- a/django/contrib/auth/middleware.py +++ b/django/contrib/auth/middleware.py @@ -53,6 +53,7 @@ class RemoteUserMiddleware(object): # used in the request.META dictionary, i.e. the normalization of headers to # all uppercase and the addition of "HTTP_" prefix apply. header = "REMOTE_USER" + force_logout_if_no_header = True def process_request(self, request): # AuthenticationMiddleware is required so that request.user exists. @@ -69,7 +70,7 @@ class RemoteUserMiddleware(object): # If specified header doesn't exist then remove any existing # authenticated remote-user, or return (leaving request.user set to # AnonymousUser by the AuthenticationMiddleware). - if request.user.is_authenticated(): + if self.force_logout_if_no_header and request.user.is_authenticated(): self._remove_invalid_user(request) return # If the user is already authenticated and that user is the user we are @@ -118,3 +119,16 @@ class RemoteUserMiddleware(object): else: if isinstance(stored_backend, RemoteUserBackend): auth.logout(request) + + +class PersistentRemoteUserMiddleware(RemoteUserMiddleware): + """ + Middleware for Web-server provided authentication on logon pages. + + Like RemoteUserMiddleware but keeps the user authenticated even if + the header (``REMOTE_USER``) is not found in the request. Useful + for setups when the external authentication via ``REMOTE_USER`` + is only expected to happen on some "logon" URL and the rest of + the application wants to use Django's authentication mechanism. + """ + force_logout_if_no_header = False diff --git a/docs/howto/auth-remote-user.txt b/docs/howto/auth-remote-user.txt index 39454c5f63a..bef562d5655 100644 --- a/docs/howto/auth-remote-user.txt +++ b/docs/howto/auth-remote-user.txt @@ -19,7 +19,8 @@ When the Web server takes care of authentication it typically sets the ``REMOTE_USER`` environment variable for use in the underlying application. In Django, ``REMOTE_USER`` is made available in the :attr:`request.META ` attribute. Django can be configured to make -use of the ``REMOTE_USER`` value using the ``RemoteUserMiddleware`` and +use of the ``REMOTE_USER`` value using the ``RemoteUserMiddleware`` +or ``PersistentRemoteUserMiddleware``, and :class:`~django.contrib.auth.backends.RemoteUserBackend` classes found in :mod:`django.contrib.auth`. @@ -95,3 +96,25 @@ If your authentication mechanism uses a custom HTTP header and not If you need more control, you can create your own authentication backend that inherits from :class:`~django.contrib.auth.backends.RemoteUserBackend` and override one or more of its attributes and methods. + +.. _persistent-remote-user-middleware-howto: + +Using ``REMOTE_USER`` on login pages only +========================================= + +.. versionadded:: 1.9 + +The ``RemoteUserMiddleware`` authentication middleware assumes that the HTTP +request header ``REMOTE_USER`` is present with all authenticated requests. That +might be expected and practical when Basic HTTP Auth with ``htpasswd`` or other +simple mechanisms are used, but with Negotiate (GSSAPI/Kerberos) or other +resource intensive authentication methods, the authentication in the front-end +HTTP server is usually only set up for one or a few login URLs, and after +successful authentication, the application is supposed to maintain the +authenticated session itself. + +:class:`~django.contrib.auth.middleware.PersistentRemoteUserMiddleware` +provides support for this use case. It will maintain the authenticated session +until explicit logout by the user. The class can be used as a drop-in +replacement of :class:`~django.contrib.auth.middleware.RemoteUserMiddleware` +in the documentation above. diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt index d2563475778..733e7011191 100644 --- a/docs/ref/middleware.txt +++ b/docs/ref/middleware.txt @@ -374,6 +374,14 @@ every incoming ``HttpRequest`` object. See :ref:`Authentication in Web requests Middleware for utilizing Web server provided authentication. See :doc:`/howto/auth-remote-user` for usage details. +.. class:: PersistentRemoteUserMiddleware + +.. versionadded:: 1.9 + +Middleware for utilizing Web server provided authentication when enabled only +on the login page. See :ref:`persistent-remote-user-middleware-howto` for usage +details. + .. class:: SessionAuthenticationMiddleware Allows a user's sessions to be invalidated when their password changes. See diff --git a/docs/releases/1.9.txt b/docs/releases/1.9.txt index 3dc76dbd12a..0b84b3c6d31 100644 --- a/docs/releases/1.9.txt +++ b/docs/releases/1.9.txt @@ -172,6 +172,10 @@ Minor features :func:`~django.contrib.auth.decorators.permission_required()` accepts all kinds of iterables, not only list and tuples. +* The new :class:`~django.contrib.auth.middleware.PersistentRemoteUserMiddleware` + makes it possible to use ``REMOTE_USER`` for setups where the header is only + populated on login pages instead of every request in the session. + :mod:`django.contrib.gis` ^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/tests/auth_tests/test_remote_user.py b/tests/auth_tests/test_remote_user.py index d0f3f2283fc..a413b97ee43 100644 --- a/tests/auth_tests/test_remote_user.py +++ b/tests/auth_tests/test_remote_user.py @@ -232,3 +232,26 @@ class CustomHeaderRemoteUserTest(RemoteUserTest): 'auth_tests.test_remote_user.CustomHeaderMiddleware' ) header = 'HTTP_AUTHUSER' + + +class PersistentRemoteUserTest(RemoteUserTest): + """ + PersistentRemoteUserMiddleware keeps the user logged in even if the + subsequent calls do not contain the header value. + """ + middleware = 'django.contrib.auth.middleware.PersistentRemoteUserMiddleware' + require_header = False + + def test_header_disappears(self): + """ + A logged in user is kept logged in even if the REMOTE_USER header + disappears during the same browser session. + """ + User.objects.create(username='knownuser') + # Known user authenticates + response = self.client.get('/remote_user/', **{self.header: self.known_user}) + self.assertEqual(response.context['user'].username, 'knownuser') + # Should stay logged in if the REMOTE_USER header disappears. + response = self.client.get('/remote_user/') + self.assertEqual(response.context['user'].is_anonymous(), False) + self.assertEqual(response.context['user'].username, 'knownuser')