Showing posts with label web2py. Show all posts
Showing posts with label web2py. Show all posts
2014-10-22
Turn off the login menu in web2py
Use Case: when you do not need to manage users or access control in the web2py application, remove the login menu from the right side of the menubar:
Remove instantiating Auth(db) in your model and remove all dependencies on the Auth object.
web2py admin behind Apache proxy
So I have this web2py configuration where Apache httpd SSL proxies URLs of the form https://server/web2py/ to http://localhost:8081/web2py (web2py Rocket):
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !=localhost
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteRule ^/webpy$ /web2py/ [R,L]
ProxyRequests off
ProxyPass /web2py/ http://localhost:8081/web2py/
<Location /web2py/>
ProxyPassReverse http://localhost:8081/web2py/
</Location>
This includes a modified global routes.py:
default_application = 'init' # ordinarily set in base routes.py
default_controller = 'default' # ordinarily set in app-specific routes.py
default_function = 'index' # ordinarily set in app-specific routes.py
BASE = '/web2py'
routes_in = (
# do not reroute admin unless you want to disable it
(BASE + '/admin', '/admin/default/index'),
(BASE + '/admin/$anything', '/admin/$anything'),
# do not reroute appadmin unless you want to disable it
(BASE + '/$app/appadmin', '/$app/appadmin/index'),
(BASE + '/$app/appadmin/$anything', '/$app/appadmin/$anything'),
# do not reroute static files
(BASE + '/$app/static/$anything', '/$app/static/$anything'),
# reroute favicon and robots, use exable for lack of better choice
('/favicon.ico', '/examples/static/favicon.ico'),
('/robots.txt', '/examples/static/robots.txt'),
# do other stuff
((r'.*http://otherdomain\.com.* (?P.*)', r'/app/ctr\g')),
# remove the BASE prefix
(BASE + '/$anything', '/$anything'),
)
routes_out = [(x, y) for (y, x) in routes_in]
logging = 'debug'
#fix ticket routing
error_message = '<html><body><h1>%s</h1></body></html>'
error_message_ticket = '<html><body><h1>Internal error</h1>Ticket issued: <a href="' + BASE + '/admin/default/ticket/%(ticket)s" target="_blank">%(ticket)s</a></body></html>'
def __routes_doctest():
pass
if __name__ == '__main__':
import doctest
doctest.testmod()
But if you go to https://hostname/web2py/admin, it returns Admin is disabled because insecure channel. However, the channel IS secure since we are using SSL via the Apache.
Offending Lines of code: applications/admin/models/access.py:
if request.is_https:
session.secure()
elif not request.is_local and not DEMO_MODE:
raise HTTP(200, T('Admin is disabled because insecure channel'))
According to https://groups.google.com/forum/#!searchin/web2py-developers/request.is_local/web2py-developers/kkBvSzX4wO8/Rjom8huf4yMJ , request.is_local is False behind the Apache proxy, so calling https://server/web2py/admin fails both request.is_https (since the proxy forwards to http://) and request.is_local.
Commenting out this block causes login dialog to fail (for the same reasons). Thus the correct modification is to use request.is_local = True
2014-06-30
Auth.user itself is a DAL row object
So after we instantiate auth=Auth(db=db), when the user logs in, Auth will create a subclass of type <class 'gluon.dal.Row'> which stores the fields from auth_user table:
| first_name |
| id |
| last_name |
| registration_id |
| registration_key |
| reset_password_key |
| username |
Locking down a default web2py controller
Say you have a web2py app where you want the default controller
Problem: by default,
So,we have to move
To do this, we have to tell
default.py to be locked down to require a user to always be authenticated to access any of the functions in that controller.
Problem: by default,
user():, which calls auth() to supply the default login form handler is in default.py so if use the typical method to force auth checking on the controller itself (as explained in https://groups.google.com/d/msg/web2py/ReznbEX0Mh0/CfyEF70TrG0J)
auth.requires_login()(lambda: None)()
def index():
return dict()
def user():
return dict(form=auth())
This will result in a redirection loop because the initial un-logged-in access to /app/(default/index) will result in a redirect (due to requires_login()) to /app/default/user/login and on every call to default will result in a redirect to default/user/login etc.
So,we have to move
user() out of the way.
To do this, we have to tell
Auth where to find user(). By default it looks in default controller, but this can be modified in the Auth instantiation in the model (models/db.py):
#original auth instance #auth = Auth(db) #redirected auth instance auth = Auth(db=db, controller='login')This tells
Auth instance auth to look in controller login for the user() instead of default. We use keyword db for telling it which DAL instance to use now, since we have switched to kwargs.
In controllers/login.py:
# coding: utf8
#here is the default action, redirect back to the default controller
def index():
redirect(URL(c='default'))
def user():
return dict(form=auth())
And don't forget to move views/default/user.html to views/login/user.html!
2014-06-29
Web2py Auth User against LDAP (Active Directory)
In
models/db.py, adapted from the example one from welcome:
#using the default DAL db. You can use pg if you want
db = DAL('sqlite://storage.sqlite',pool_size=1,check_reserved=['all'])
#store sessions in the db not on the filesystem
session.connect(request, response, db=db)
#default boilerplate from welcome
response.generic_patterns = ['*'] if request.is_local else []
#default boilerplate from welcome
from gluon.tools import Auth, Crud, Service, PluginManager, prettydate
auth = Auth(db)
crud, service, plugins = Crud(db), Service(), PluginManager()
#use username as the primary id, not email address
auth.define_tables(username=True, signature=False)
#do not create a default user group (=user) for every user that gets imported
auth.settings.create_user_groups=False
#default config from welcome
mail = auth.settings.mailer
mail.settings.server = 'logging' or 'smtp.gmail.com:587'
mail.settings.sender = 'you@gmail.com'
mail.settings.login = 'username:password'
#comment these from the default
#auth.settings.registration_requires_verification = False
#auth.settings.registration_requires_approval = False
#auth.settings.reset_password_requires_verification = True
#LDAP is always the system of record, so disable manual registration or the changing of the user in the app
auth.settings.actions_disabled=['register','change_password','request_reset_password','retrieve_username','profile']
#this is just good security
auth.settings.remember_me_form = False
#import ldap_auth method
from gluon.contrib.login_methods.ldap_auth import ldap_auth
#override all/any default auth settings, users can *only* auth against Active Directory
auth.settings.login_methods=[ldap_auth(mode='ad',
manage_user=True,
user_firstname_attrib = 'givenName',
user_lastname_attrib = 'sn',
user_mail_attrib = 'mail',
server='corp.contoso.com',
base_dn='dc=contoso,dc=com',
secure=True,
db=db)]
#disable janrain
#from gluon.contrib.login_methods.rpx_account import use_janrain
#use_janrain(auth, filename='private/janrain.key')
Usage: The Login dialog will cause this web2py app to autocreate a user based on the attributes in LDAP. The actual auth is the return of a successful LDAP bind. You can also pre-create users using appadmin. When manually creating users this way, you will need to set a dummy password in the db since it is set to be a required field (but will remain empty when the user is autocreated...). You may want to manually add users when you are setting up app-specific groups.
Caveats: To get LDAP secure=True working with a self-signed cert on the webserver, I had to hack gluon/contrib/login_methods/ldap_auth.py: In ldap_auth().init_ldap(), I had to add the following after if secure:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)See also: http://www.web2pyslices.com/slice/show/1715/authentication-and-group-control-with-active-directory-ldap if you want to base RBAC off AD groups.
Subscribe to:
Posts (Atom)