Reputation: 10464
I'm using django restframework with token authentication. It works fine when I run it in django development server but when I run it on apache, it fails with a 401 authentication error.
# settings.py
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.TokenAuthentication',
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.BasicAuthentication',
)
}
INSTALLED_APPS = (
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.staticfiles',
'myapp',
'django.contrib.admin',
'rest_framework',
'rest_framework.authtoken',
)
@api_view(['GET', 'POST'])
@authentication_classes((TokenAuthentication, SessionAuthentication, BasicAuthentication))
@permission_classes((IsAuthenticated,))
@staff_member_required
def api(request):
params = request.data
res = rest_api.get_data(params)
return HttpResponse(json.dumps(res), content_type="application/json")
If I remove
@permission_classes((IsAuthenticated,))
@staff_member_required
it will work on apache but then it's insecure. Any ideas what the problem is and how to fix it?
Upvotes: 1
Views: 1389
Reputation: 1678
Apache mod_wsgi specific configuration
Note that if deploying to Apache using mod_wsgi, the authorization header is not passed through to a WSGI application by default, as it is assumed that authentication will be handled by Apache, rather than at an application level.
If you are deploying to Apache, and using any non-session based authentication, you will need to explicitly configure mod_wsgi to pass the required headers through to the application. This can be done by specifying the WSGIPassAuthorization directive in the appropriate context and setting it to 'On'.
# this can go in either server config, virtual.
host, directory or .htaccess
WSGIPassAuthorization On
Upvotes: 10