Protect all XML-RPC calls with HTTP basic auth but one
Posted
by bodom_lx
on Server Fault
See other posts from Server Fault
or by bodom_lx
Published on 2010-05-25T10:03:55Z
Indexed on
2010/05/25
10:11 UTC
Read the original article
Hit count: 244
I set up a Django project for smartphone serving XML-RPC methods over HTTPS and using basic auth. All XML-RPC methods require username and password.
I would like to implement a XML-RPC method to provide registration to the system.
Obviously, this method should not require username and password.
The following is the Apache conf section responsible for basic auth:
<Location /RPC2>
AuthType Basic
AuthName "Login Required"
Require valid-user
AuthBasicProvider wsgi
WSGIAuthUserScript /path/to/auth.wsgi
</Location>
This is my auth.wsgi:
import os
import sys
sys.stdout = sys.stderr
sys.path.append('/path/to/project')
os.environ['DJANGO_SETTINGS_MODULE'] = 'project.settings'
from django.contrib.auth.models import User
from django import db
def check_password(environ, user, password):
"""
Authenticates apache/mod_wsgi against Django's auth database.
"""
db.reset_queries()
kwargs = {'username': user, 'is_active': True}
try:
# checks that the username is valid
try:
user = User.objects.get(**kwargs)
except User.DoesNotExist:
return None
# verifies that the password is valid for the user
if user.check_password(password):
return True
else:
return False
finally:
db.connection.close()
There are two dirty ways to achieve my aim with current situation:
- Have a dummy username/password to be used when trying to register to the system
- Have a separate Django/XML-RPC application on another URL (ie: /register) that is not protected by basic auth
Both of them are very ugly, as I would also like to define a standard protocol to be used for services like mine (it's an open Dynamic Ridesharing Architecture)
Is there a way to unprotect a single XML-RPC call (ie. a defined POST request) even if all XML-RPC calls over /RPC2 are protected?
© Server Fault or respective owner