tags:

views:

401

answers:

2
+3  Q: 

Secure static media access in a Django site

I'm building a site where registered users can upload files. Those files are then served via Apache. Only users who are logged in should be able to access those files.

I have read this page but it seems that people would have to log in twice to access both the site and the media, each time using a different type of login box.

Is there a way around this or is there some other way to limit access to static media served by Apache using the Django authentication database?

I'm using mod_python.

EDIT: How I ended up solving this after reading Van Gale's answer and this:

  1. Switched to WSGI.
  2. Installed mod_xsendfile
  3. Moved all public media files into a subfolder in /media/public
  4. Added access to the public folder using an Alias /media/public /var/www.../media/public
  5. Added WSGIScriptAlias /media/protected/ /var/www.../apache/django.wsgi (same handler as for the rest of the site)
  6. Added XSendFile On and XSendFileAllowAbove On
  7. To the Django app I added an urlconf for /media/protected which does basically what's here, only modified for my authentication system. It handles urls such as /media/protected/GROUP_ID/file so that only members of the GROUP can download the files.
+1  A: 

If you have freedom to switch from Apache to lighttpd, then the most straightforward solution would be to use mod_secdownload which would do exactly what you want, that is, provide application authentication while serving the actual files via web server.

However if you are stuck with Apache, then I suggest mod_auth_token, here they mention PHP but you can generate the token in Python or any other language. Using mod_auth_token you will be able to generate the token in your application, and then have web server serve the static file utilizing that token.

 2009-08-27 13:15:56
+2  A: 

The usual way to do this is to pass back a special header to the web server.

You can do it with nginx using x-accel-redirect as in this Django snippet.

For Apache, it should be pretty similar using the mod_xsendfile module (discussion and examples on Django users mailing list).

Van Gale  2009-08-27 13:33:36
I'm going to give mod_xsendfile a try.
TomA  2009-08-27 18:06:15
It worked! Had to switch to WSGI but that wasn't as hard as I thought it would be.
TomA  2009-08-27 22:07:50
In mod_wsgi 3.0, you can pass back a Location with 200 status. The directories need to be mapped via a URL though, which is then referenced in Location. Since URL mapping required, to ensure remote clients can't get to them, you need to use a mod_rewrite rule to make them forbidden if not an Apache sub request. The other option is to make use of wsgi.file_wrapper extension to optimally return file direct from Django. Right now can't do this with Django, but will be allowed in future version.
Graham Dumpleton  2009-08-28 11:03:52

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP