django-restframework with token authentication returns a 401 on apache

Question

I'm using django restframework with token authentication. It works fine when I run it in django development server but when I run it on apache, it fails with a 401 authentication error.

# settings.py
REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.TokenAuthentication',
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.BasicAuthentication',
    )
}

INSTALLED_APPS = (
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.sites',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'myapp',
    'django.contrib.admin',
    'rest_framework',
    'rest_framework.authtoken',
)

@api_view(['GET', 'POST'])
@authentication_classes((TokenAuthentication, SessionAuthentication, BasicAuthentication))
@permission_classes((IsAuthenticated,))
@staff_member_required
def api(request):
    params = request.data
    res = rest_api.get_data(params)
    return HttpResponse(json.dumps(res), content_type="application/json")

If I remove

@permission_classes((IsAuthenticated,))
@staff_member_required

it will work on apache but then it's insecure. Any ideas what the problem is and how to fix it?

Answer 1

Apache mod_wsgi specific configuration

Note that if deploying to Apache using mod_wsgi, the authorization header is not passed through to a WSGI application by default, as it is assumed that authentication will be handled by Apache, rather than at an application level.

If you are deploying to Apache, and using any non-session based authentication, you will need to explicitly configure mod_wsgi to pass the required headers through to the application. This can be done by specifying the WSGIPassAuthorization directive in the appropriate context and setting it to 'On'.

# this can go in either server config, virtual.
host, directory or .htaccess

WSGIPassAuthorization On