Protect all XML-RPC calls with HTTP basic auth but one

Posted by bodom_lx on Server Fault See other posts from Server Fault or by bodom_lx
Published on 2010-05-25T10:03:55Z Indexed on 2010/05/25 10:11 UTC
Read the original article Hit count: 244

I set up a Django project for smartphone serving XML-RPC methods over HTTPS and using basic auth. All XML-RPC methods require username and password.
I would like to implement a XML-RPC method to provide registration to the system.
Obviously, this method should not require username and password. The following is the Apache conf section responsible for basic auth:

<Location /RPC2>
    AuthType Basic
    AuthName "Login Required"
    Require valid-user
    AuthBasicProvider wsgi
    WSGIAuthUserScript  /path/to/auth.wsgi
</Location>

This is my auth.wsgi:

import os
import sys
sys.stdout = sys.stderr
sys.path.append('/path/to/project')

os.environ['DJANGO_SETTINGS_MODULE'] = 'project.settings'

from django.contrib.auth.models import User
from django import db

def check_password(environ, user, password):
    """
    Authenticates apache/mod_wsgi against Django's auth database.
    """

    db.reset_queries() 

    kwargs = {'username': user, 'is_active': True} 

    try:
        # checks that the username is valid
        try:
           user = User.objects.get(**kwargs)
        except User.DoesNotExist:
           return None

        # verifies that the password is valid for the user
        if user.check_password(password):
            return True
        else:
            return False
    finally:
        db.connection.close()

There are two dirty ways to achieve my aim with current situation:

  1. Have a dummy username/password to be used when trying to register to the system
  2. Have a separate Django/XML-RPC application on another URL (ie: /register) that is not protected by basic auth

Both of them are very ugly, as I would also like to define a standard protocol to be used for services like mine (it's an open Dynamic Ridesharing Architecture)

Is there a way to unprotect a single XML-RPC call (ie. a defined POST request) even if all XML-RPC calls over /RPC2 are protected?

© Server Fault or respective owner

Related posts about apache2

Related posts about configuration