使用 Django REST 框架的本地和 mod_wsgi 服务器之间的 Django JWT 身份验证行为不同
Django JWT Authentication behavior different between local & mod_wsgi servers with Django REST framework
我正在尝试确定为什么使用 Authorization: header 对受保护资源的身份验证在使用本地开发服务器时表现正常,但在我部署的 apache 2.2 w/mod_wsgi 实现上却表现不佳。
我将 django 1.8 与 django-rest-framework 和 django-rest-framework-jwt 库一起用于基于 JWT 的身份验证。 apache 服务器是 ver 2.2 mod_wsgi。这是 ubuntu 12.04 实例 (python 2.7) 上的全部 运行。
在本地主机上使用 manage.py runserver 的工作案例:
# manage.py runserver is running
curl -s -X POST \
-d '{"username":"test@test.com", "password":}' \
http://localhost:8000/portfolio/login
# Response as expected:
##> {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp..."}
# Using above token as $TOKEN_STR with JWT prefix for Auth header:
curl -X GET -H "Content-Type: application/json" \
-H "Authorization: $TOKEN_STR" \
http://localhost:8000/portfolio
# Response as expected
##> {"data":"[...]"}
apache2.2 的破例mod_wsgi:
curl -s -X POST \
-d '{"username":"test@test.com", "password":}' \
http://myremote.com/django/portfolio/login
# Response as expected:
##> {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp..."}
# Using above token as $TOKEN_STR with JWT prefix for Auth header:
curl -X GET -H "Content-Type: application/json" \
-H "Authorization: $TOKEN_STR" \
http://myremote.com/django/portfolio
# Response behaves as authentication not even there w/403 or 401:
##> {"detail": "Authentication credentials were not provided."}
Apache 站点配置
#### DJANGO APP ####
LogLevel info
WSGIDaemonProcess dev processes=2 threads=15
WSGIProcessGroup dev
WSGIScriptAlias /django /webapps/django/config/wsgi.py
<Directory /webapps/django>
Order allow,deny
Allow from all
</Directory>
### DJANGO APP ####
可能相关的配置
config.py
## Django rest frameowkr config
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.BasicAuthentication',
'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
)
}
JWT_AUTH = {
'JWT_ENCODE_HANDLER':
'rest_framework_jwt.utils.jwt_encode_handler',
'JWT_DECODE_HANDLER':
'rest_framework_jwt.utils.jwt_decode_handler',
'JWT_PAYLOAD_HANDLER':
'rest_framework_jwt.utils.jwt_payload_handler',
'JWT_PAYLOAD_GET_USER_ID_HANDLER':
'rest_framework_jwt.utils.jwt_get_user_id_from_payload_handler',
'JWT_RESPONSE_PAYLOAD_HANDLER':
'rest_framework_jwt.utils.jwt_response_payload_handler',
'JWT_SECRET_KEY': SECRET_KEY,
'JWT_ALGORITHM': 'HS256',
'JWT_AUTH_HEADER_PREFIX': 'JWT',
}
我遇到过类似的问题。我发现我在 Apache 配置文件中缺少以下指令
WSGIPassAuthorization On
解决方案在 apache conf 文件中,我们需要像这样打开 WSGIPassAuthorization:
<VirtualHost *:80>
ServerAlias example.com
ServerName example.com
Alias /static /srv/www/MyProject/MyProject/static
<Directory /srv/www/MyProject/MyProject/static>
Require all granted
</Directory>
<Directory /srv/www/MyProject/MyProject/>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIDaemonProcess example python-path=/srv/www/MyProject/MyProject python-home=/srv/envs/venv
WSGIProcessGroup example
WSGIScriptAlias / /srv/www/MyProject/MyProject/wsgi.py
WSGIPassAuthorization On
</VirtualHost>
。
.
.
.
WSGIPassAuthorization On
<Directory /webapps/django>
Order allow,deny
Allow from all
</Directory>
。
.
.
.
这对我有用,非常感谢
https://gulshan1996.blogspot.com/2021/04/jwt-auth-is-not-working-on-apache-server.html
我正在尝试确定为什么使用 Authorization: header 对受保护资源的身份验证在使用本地开发服务器时表现正常,但在我部署的 apache 2.2 w/mod_wsgi 实现上却表现不佳。
我将 django 1.8 与 django-rest-framework 和 django-rest-framework-jwt 库一起用于基于 JWT 的身份验证。 apache 服务器是 ver 2.2 mod_wsgi。这是 ubuntu 12.04 实例 (python 2.7) 上的全部 运行。
在本地主机上使用 manage.py runserver 的工作案例:
# manage.py runserver is running
curl -s -X POST \
-d '{"username":"test@test.com", "password":}' \
http://localhost:8000/portfolio/login
# Response as expected:
##> {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp..."}
# Using above token as $TOKEN_STR with JWT prefix for Auth header:
curl -X GET -H "Content-Type: application/json" \
-H "Authorization: $TOKEN_STR" \
http://localhost:8000/portfolio
# Response as expected
##> {"data":"[...]"}
apache2.2 的破例mod_wsgi:
curl -s -X POST \
-d '{"username":"test@test.com", "password":}' \
http://myremote.com/django/portfolio/login
# Response as expected:
##> {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp..."}
# Using above token as $TOKEN_STR with JWT prefix for Auth header:
curl -X GET -H "Content-Type: application/json" \
-H "Authorization: $TOKEN_STR" \
http://myremote.com/django/portfolio
# Response behaves as authentication not even there w/403 or 401:
##> {"detail": "Authentication credentials were not provided."}
Apache 站点配置
#### DJANGO APP ####
LogLevel info
WSGIDaemonProcess dev processes=2 threads=15
WSGIProcessGroup dev
WSGIScriptAlias /django /webapps/django/config/wsgi.py
<Directory /webapps/django>
Order allow,deny
Allow from all
</Directory>
### DJANGO APP ####
可能相关的配置
config.py
## Django rest frameowkr config
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.BasicAuthentication',
'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
)
}
JWT_AUTH = {
'JWT_ENCODE_HANDLER':
'rest_framework_jwt.utils.jwt_encode_handler',
'JWT_DECODE_HANDLER':
'rest_framework_jwt.utils.jwt_decode_handler',
'JWT_PAYLOAD_HANDLER':
'rest_framework_jwt.utils.jwt_payload_handler',
'JWT_PAYLOAD_GET_USER_ID_HANDLER':
'rest_framework_jwt.utils.jwt_get_user_id_from_payload_handler',
'JWT_RESPONSE_PAYLOAD_HANDLER':
'rest_framework_jwt.utils.jwt_response_payload_handler',
'JWT_SECRET_KEY': SECRET_KEY,
'JWT_ALGORITHM': 'HS256',
'JWT_AUTH_HEADER_PREFIX': 'JWT',
}
我遇到过类似的问题。我发现我在 Apache 配置文件中缺少以下指令
WSGIPassAuthorization On
解决方案在 apache conf 文件中,我们需要像这样打开 WSGIPassAuthorization:
<VirtualHost *:80>
ServerAlias example.com
ServerName example.com
Alias /static /srv/www/MyProject/MyProject/static
<Directory /srv/www/MyProject/MyProject/static>
Require all granted
</Directory>
<Directory /srv/www/MyProject/MyProject/>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIDaemonProcess example python-path=/srv/www/MyProject/MyProject python-home=/srv/envs/venv
WSGIProcessGroup example
WSGIScriptAlias / /srv/www/MyProject/MyProject/wsgi.py
WSGIPassAuthorization On
</VirtualHost>
。 . . .
WSGIPassAuthorization On
<Directory /webapps/django>
Order allow,deny
Allow from all
</Directory>
。 . . .
这对我有用,非常感谢 https://gulshan1996.blogspot.com/2021/04/jwt-auth-is-not-working-on-apache-server.html