<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=""> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Authentication using REMOTE_USER — Django 1.8.19 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '1.8.19', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> <link rel="top" title="Django 1.8.19 documentation" href="../contents.html" /> <link rel="up" title="“How-to” guides" href="index.html" /> <link rel="next" title="Writing custom django-admin commands" href="custom-management-commands.html" /> <link rel="prev" title="“How-to” guides" href="index.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head> <body role="document"> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.8.19 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="index.html" title="&#8220;How-to&#8221; guides">previous</a> | <a href="index.html" title="&#8220;How-to&#8221; guides" accesskey="U">up</a> | <a href="custom-management-commands.html" title="Writing custom django-admin commands">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="howto-auth-remote-user"> <div class="section" id="s-authentication-using-remote-user"> <span id="authentication-using-remote-user"></span><h1>Authentication using <code class="docutils literal"><span class="pre">REMOTE_USER</span></code><a class="headerlink" href="#authentication-using-remote-user" title="Permalink to this headline">¶</a></h1> <p>This document describes how to make use of external authentication sources (where the Web server sets the <code class="docutils literal"><span class="pre">REMOTE_USER</span></code> environment variable) in your Django applications. This type of authentication solution is typically seen on intranet sites, with single sign-on solutions such as IIS and Integrated Windows Authentication or Apache and <a class="reference external" href="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</a>, <a class="reference external" href="https://www.apereo.org/cas">CAS</a>, <a class="reference external" href="http://weblogin.org">Cosign</a>, <a class="reference external" href="http://www.stanford.edu/services/webauth/">WebAuth</a>, <a class="reference external" href="http://sourceforge.net/projects/mod-auth-sspi">mod_auth_sspi</a>, etc.</p> <p>When the Web server takes care of authentication it typically sets the <code class="docutils literal"><span class="pre">REMOTE_USER</span></code> environment variable for use in the underlying application. In Django, <code class="docutils literal"><span class="pre">REMOTE_USER</span></code> is made available in the <a class="reference internal" href="../ref/request-response.html#django.http.HttpRequest.META" title="django.http.HttpRequest.META"><code class="xref py py-attr docutils literal"><span class="pre">request.META</span></code></a> attribute. Django can be configured to make use of the <code class="docutils literal"><span class="pre">REMOTE_USER</span></code> value using the <code class="docutils literal"><span class="pre">RemoteUserMiddleware</span></code> and <a class="reference internal" href="../ref/contrib/auth.html#django.contrib.auth.backends.RemoteUserBackend" title="django.contrib.auth.backends.RemoteUserBackend"><code class="xref py py-class docutils literal"><span class="pre">RemoteUserBackend</span></code></a> classes found in <a class="reference internal" href="../topics/auth/index.html#module-django.contrib.auth" title="django.contrib.auth: Django's authentication framework."><code class="xref py py-mod docutils literal"><span class="pre">django.contrib.auth</span></code></a>.</p> <div class="section" id="s-configuration"> <span id="configuration"></span><h2>Configuration<a class="headerlink" href="#configuration" title="Permalink to this headline">¶</a></h2> <p>First, you must add the <a class="reference internal" href="../ref/middleware.html#django.contrib.auth.middleware.RemoteUserMiddleware" title="django.contrib.auth.middleware.RemoteUserMiddleware"><code class="xref py py-class docutils literal"><span class="pre">django.contrib.auth.middleware.RemoteUserMiddleware</span></code></a> to the <a class="reference internal" href="../ref/settings.html#std:setting-MIDDLEWARE_CLASSES"><code class="xref std std-setting docutils literal"><span class="pre">MIDDLEWARE_CLASSES</span></code></a> setting <strong>after</strong> the <a class="reference internal" href="../ref/middleware.html#django.contrib.auth.middleware.AuthenticationMiddleware" title="django.contrib.auth.middleware.AuthenticationMiddleware"><code class="xref py py-class docutils literal"><span class="pre">django.contrib.auth.middleware.AuthenticationMiddleware</span></code></a>:</p> <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">MIDDLEWARE_CLASSES</span> <span class="o">=</span> <span class="p">(</span> <span class="s1">'...'</span><span class="p">,</span> <span class="s1">'django.contrib.auth.middleware.AuthenticationMiddleware'</span><span class="p">,</span> <span class="s1">'django.contrib.auth.middleware.RemoteUserMiddleware'</span><span class="p">,</span> <span class="s1">'...'</span><span class="p">,</span> <span class="p">)</span> </pre></div> </div> <p>Next, you must replace the <a class="reference internal" href="../ref/contrib/auth.html#django.contrib.auth.backends.ModelBackend" title="django.contrib.auth.backends.ModelBackend"><code class="xref py py-class docutils literal"><span class="pre">ModelBackend</span></code></a> with <a class="reference internal" href="../ref/contrib/auth.html#django.contrib.auth.backends.RemoteUserBackend" title="django.contrib.auth.backends.RemoteUserBackend"><code class="xref py py-class docutils literal"><span class="pre">RemoteUserBackend</span></code></a> in the <a class="reference internal" href="../ref/settings.html#std:setting-AUTHENTICATION_BACKENDS"><code class="xref std std-setting docutils literal"><span class="pre">AUTHENTICATION_BACKENDS</span></code></a> setting:</p> <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">AUTHENTICATION_BACKENDS</span> <span class="o">=</span> <span class="p">(</span> <span class="s1">'django.contrib.auth.backends.RemoteUserBackend'</span><span class="p">,</span> <span class="p">)</span> </pre></div> </div> <p>With this setup, <code class="docutils literal"><span class="pre">RemoteUserMiddleware</span></code> will detect the username in <code class="docutils literal"><span class="pre">request.META['REMOTE_USER']</span></code> and will authenticate and auto-login that user using the <a class="reference internal" href="../ref/contrib/auth.html#django.contrib.auth.backends.RemoteUserBackend" title="django.contrib.auth.backends.RemoteUserBackend"><code class="xref py py-class docutils literal"><span class="pre">RemoteUserBackend</span></code></a>.</p> <p>Be aware that this particular setup disables authentication with the default <code class="docutils literal"><span class="pre">ModelBackend</span></code>. This means that if the <code class="docutils literal"><span class="pre">REMOTE_USER</span></code> value is not set then the user is unable to log in, even using Django’s admin interface. Adding <code class="docutils literal"><span class="pre">'django.contrib.auth.backends.ModelBackend'</span></code> to the <code class="docutils literal"><span class="pre">AUTHENTICATION_BACKENDS</span></code> list will use <code class="docutils literal"><span class="pre">ModelBackend</span></code> as a fallback if <code class="docutils literal"><span class="pre">REMOTE_USER</span></code> is absent, which will solve these issues.</p> <p>Django’s user management, such as the views in <code class="docutils literal"><span class="pre">contrib.admin</span></code> and the <a class="reference internal" href="../ref/django-admin.html#django-admin-createsuperuser"><code class="xref std std-djadmin docutils literal"><span class="pre">createsuperuser</span></code></a> management command, doesn’t integrate with remote users. These interfaces work with users stored in the database regardless of <code class="docutils literal"><span class="pre">AUTHENTICATION_BACKENDS</span></code>.</p> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">Since the <code class="docutils literal"><span class="pre">RemoteUserBackend</span></code> inherits from <code class="docutils literal"><span class="pre">ModelBackend</span></code>, you will still have all of the same permissions checking that is implemented in <code class="docutils literal"><span class="pre">ModelBackend</span></code>.</p> </div> <p>If your authentication mechanism uses a custom HTTP header and not <code class="docutils literal"><span class="pre">REMOTE_USER</span></code>, you can subclass <code class="docutils literal"><span class="pre">RemoteUserMiddleware</span></code> and set the <code class="docutils literal"><span class="pre">header</span></code> attribute to the desired <code class="docutils literal"><span class="pre">request.META</span></code> key. For example:</p> <div class="highlight-default"><div class="highlight"><pre><span></span><span class="kn">from</span> <span class="nn">django.contrib.auth.middleware</span> <span class="k">import</span> <span class="n">RemoteUserMiddleware</span> <span class="k">class</span> <span class="nc">CustomHeaderMiddleware</span><span class="p">(</span><span class="n">RemoteUserMiddleware</span><span class="p">):</span> <span class="n">header</span> <span class="o">=</span> <span class="s1">'HTTP_AUTHUSER'</span> </pre></div> </div> <div class="admonition warning"> <p class="first admonition-title">Warning</p> <p>Be very careful if using a <code class="docutils literal"><span class="pre">RemoteUserMiddleware</span></code> subclass with a custom HTTP header. You must be sure that your front-end web server always sets or strips that header based on the appropriate authentication checks, never permitting an end-user to submit a fake (or “spoofed”) header value. Since the HTTP headers <code class="docutils literal"><span class="pre">X-Auth-User</span></code> and <code class="docutils literal"><span class="pre">X-Auth_User</span></code> (for example) both normalize to the <code class="docutils literal"><span class="pre">HTTP_X_AUTH_USER</span></code> key in <code class="docutils literal"><span class="pre">request.META</span></code>, you must also check that your web server doesn’t allow a spoofed header using underscores in place of dashes.</p> <p class="last">This warning doesn’t apply to <code class="docutils literal"><span class="pre">RemoteUserMiddleware</span></code> in its default configuration with <code class="docutils literal"><span class="pre">header</span> <span class="pre">=</span> <span class="pre">'REMOTE_USER'</span></code>, since a key that doesn’t start with <code class="docutils literal"><span class="pre">HTTP_</span></code> in <code class="docutils literal"><span class="pre">request.META</span></code> can only be set by your WSGI server, not directly from an HTTP request header.</p> </div> <p>If you need more control, you can create your own authentication backend that inherits from <a class="reference internal" href="../ref/contrib/auth.html#django.contrib.auth.backends.RemoteUserBackend" title="django.contrib.auth.backends.RemoteUserBackend"><code class="xref py py-class docutils literal"><span class="pre">RemoteUserBackend</span></code></a> and override one or more of its attributes and methods.</p> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar" role="navigation" aria-label="main navigation"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Authentication using <code class="docutils literal"><span class="pre">REMOTE_USER</span></code></a><ul> <li><a class="reference internal" href="#configuration">Configuration</a></li> </ul> </li> </ul> <h3>Browse</h3> <ul> <li>Prev: <a href="index.html">“How-to” guides</a></li> <li>Next: <a href="custom-management-commands.html">Writing custom django-admin commands</a></li> </ul> <h3>You are here:</h3> <ul> <li> <a href="../index.html">Django 1.8.19 documentation</a> <ul><li><a href="index.html">“How-to” guides</a> <ul><li>Authentication using <code class="docutils literal"><span class="pre">REMOTE_USER</span></code></li></ul> </li></ul> </li> </ul> <div role="note" aria-label="source link"> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/howto/auth-remote-user.txt" rel="nofollow">Show Source</a></li> </ul> </div> <div id="searchbox" style="display: none" role="search"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <div><input type="text" name="q" /></div> <div><input type="submit" value="Go" /></div> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Mar 10, 2018</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="index.html" title="&#8220;How-to&#8221; guides">previous</a> | <a href="index.html" title="&#8220;How-to&#8221; guides" accesskey="U">up</a> | <a href="custom-management-commands.html" title="Writing custom django-admin commands">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>