django / tastypie基本身份验证适用于开发,而不适用于生产

时间:2012-08-09 01:47:56

标签: django rest authentication basic-authentication tastypie

我正在用django / tastpie构建一个RESTful api。在我的开发(本地)环境中运行时,一切都运行良好,并且可以正确验证。

Marks-MacBook-Pro:~ mshust$ curl http://127.0.0.1:8000/api/v1/speedscreen/ -H 'Authorization: Basic bXNodXN0MToyMjY3' -v
* About to connect() to 127.0.0.1 port 8000 (#0)
        *   Trying 127.0.0.1...
        * connected
        * Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
                > GET /api/v1/speedscreen/ HTTP/1.1
                > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
                > Host: 127.0.0.1:8000
                > Accept: */*
                > Authorization: Basic bXNodXN0MToyMjY3
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Date: Thu, 09 Aug 2012 01:36:05 GMT
< Server: WSGIServer/0.1 Python/2.7.2
< Content-Type: application/json; charset=utf-8
<
* Closing connection #0
{"meta": {"limit": 20, "next": null, "offset": 0, "previous": null, "total_count": 0}, "objects": []}

然而,当我在我的生产服务器上运行它(apache + wsgi over https)时,我一直收到401 Unauthorized响应(出于安全原因更改了域/ ip)

Marks-MacBook-Pro:~ mshust$ curl https://www.domain.com/api/speedscreen/ -H 'Authorization: Basic bXNodXN0MToyMjY3' -v
* About to connect() to www.domain.com port 443 (#0)
*   Trying 231.23.102.140...
* connected
* Connected to www.domain.com (231.23.102.140) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: O=www.domain.com; OU=Domain Control Validated; CN=www.domain.com
*    start date: 2012-07-18 13:30:31 GMT
*    expire date: 2014-07-18 13:30:31 GMT
*    subjectAltName: www.domain.com matched
*    issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certificates.godaddy.com/repository; CN=Go Daddy Secure Certification Authority; serialNumber=07969287
*    SSL certificate verify ok.
> GET /api/speedscreen/ HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
> Host: www.domain.com
> Accept: */*
> Authorization: Basic bXNodXN0MToyMjY3
> 
< HTTP/1.1 401 UNAUTHORIZED
< Date: Thu, 09 Aug 2012 01:36:00 GMT
< Server: Apache/2.2.22 (Ubuntu)
< Vary: Accept-Encoding
< Content-Length: 0
< Content-Type: text/html; charset=utf-8
< 
* Connection #0 to host www.domain.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

任何人都知道这里会发生什么?我完全难过了。

谢谢, 标记

1 个答案:

答案 0 :(得分:9)

通常,对cURL执行基本身份验证:

curl -u "user:password"

也许在你的情况下:

curl -u "bXNodXN0MToyMjY3"

如果将其更改为该格式不起作用,可能您在.htaccess文件或apache配置中设置了基本身份验证,该配置在获取WSGI应用程序之前就已经使用了auth。

此外,使用apache和mod_wsgi,您需要按this post添加WSGIPassAuthorization On设置。