通过Django中的IP地址进行身份验证 [英] Authenticate by IP address in Django
问题描述
我有一个小的Django应用程序,其视图只限于某些用户.仅基于IP地址,来自特定网络的任何人都应该能够看到该视图而无需任何进一步的身份验证.该IP范围之外的其他任何人都应该被要求输入密码,并根据默认的Django用户管理进行身份验证.
I have a small Django application with a view that I want to restrict to certain users. Anyone from a specific network should be able to see that view without any further authentication, based on IP address alone. Anyone else from outside this IP range should be asked for a password and authenticated against the default Django user management.
我认为我必须为此编写一个自定义身份验证后端,但是文档使我感到困惑,因为authenticate()
函数似乎期望使用用户名/密码组合或令牌.我不清楚在这里如何使用IP地址进行身份验证.
I assume I have to write a custom authentication backend for that, but the documentation confuses me as the authenticate()
function seems to expect a username/password combination or a token. It is not clear to me how to authenticate using IP addresses here.
在Django中实现基于IP地址的身份验证的正确方法是什么?我宁愿为安全性相关的代码使用尽可能多的现有库函数,而不是自己编写所有库函数.
What would be the proper way to implement IP address-based authentication in Django? I'd prefer to use as much existing library functions as possible for security-related code instead of writing all of it myself.
推荐答案
有两种适用于这种身份验证的方法:
There are two suitable approaches for that kind of authentication:
- As Decorator: if some of views (but not many of them) requires this check, then it is better to write a decorator for that (something like @Jingo had written)
- As Middleware: if that check needed to be done by all (or many) views, instead of using a decorator, writing a middleware is a better solution.
示例中间件可以是这样的:
A sample middleware can be something like:
ALLOWED_IP_BLOCKS = [......]
class NeedToLoginMiddleware(object):
def process_request(self, request):
ip = request.META['REMOTE_ADDR']
if not ip in ALLOWED_IP_BLOCKS: #ip check
if not request.user.is_authenticated(): #if ip check failed, make authentication check
return HttpResponseRedirect(...)
return None
- 您可以使用列表或@Jingo提到的正则表达式进行ip检查.
-
如果使用的是django身份验证,并且
REMOTE_ADDR
不在ALLOWED_IP_BLOCKS
列表中,则可以使用is_authenticated
检查相关用户是否已登录.但是要在自定义中间件中使用is_authenticated
,必须将自定义中间件放置在AuthenticationMiddleware
之后,因为request.user
设置在该级别.- You can make ip check using a list, or a regex as @Jingo mentioned.
If you are using django authentication and
REMOTE_ADDR
is not inALLOWED_IP_BLOCKS
list, then you can useis_authenticated
to check if related user had logged in or not. But for usingis_authenticated
in a custom middleware, your custom middleware must be placed afterAuthenticationMiddleware
, becauserequest.user
is set on that level.MIDDLEWARE_CLASSES = ( ... 'django.contrib.auth.middleware.AuthenticationMiddleware', 'path.to.my.NeedToLoginMiddleware', ... )
- 如果一些视图不需要此身份验证,则可以列出例外url 列表,并从
request.path
获取请求url,然后检查请求url是否需要ip check/authentication. - If a few views do not require this authentication, then you can make a list of exceptional urls and get the request url from
request.path
and check if the request url requires ip check/authentication.
这篇关于通过Django中的IP地址进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
- 如果一些视图不需要此身份验证,则可以列出例外url 列表,并从