diff --git a/gracedb/middleware/auth.py b/gracedb/middleware/auth.py
index 0e2fb2d413c626b92140ab7f0a53205679365610..dd5f4d532be0333ca8748b823375e3fab2d7575b 100644
--- a/gracedb/middleware/auth.py
+++ b/gracedb/middleware/auth.py
@@ -19,38 +19,42 @@ class LigoAuthMiddleware:
ligouser = None
user = None
- principal = request.META.get('REMOTE_USER')
- certdn = request.META.get('SSL_CLIENT_S_DN')
- issuer = request.META.get('SSL_CLIENT_I_DN')
-
- if not certdn:
- try:
- # mod_python is a little off...
- # SSL info is in request._req
- # Need to try/except because _req is
- # not defined in WSGI request.
- certdn = request._req.ssl_var_lookup ('SSL_CLIENT_S_DN')
- issuer = request._req.ssl_var_lookup ('SSL_CLIENT_I_DN')
- pass
- except:
- pass
-
queryResult = []
- if principal:
- # Kerberos.
+ if (request.user):
+ # Scott's middleware has set the user aready using shib.
+ # Let's add some more attributes.
+ principal = request.user.username
+ request.user.name = nameFromPrincipal(principal)
queryResult = User.objects.filter(principal=principal)
- elif certdn and certdn.startswith(issuer):
- # proxy.
- # Proxies can be signed by proxies.
- # Each level of "proxification" causes the subject
- # to have a '/CN=[0-9]+ appended to the signers subject.
- # These must be removed to discover the original identity's
- # subject DN.
- issuer = proxyPattern.match(issuer).group(1)
- queryResult = User.objects.filter(dn=issuer)
- elif certdn:
- # cert in browser.
- queryResult = User.objects.filter(dn=certdn)
+ else:
+ # authenticate with certs
+ certdn = request.META.get('SSL_CLIENT_S_DN')
+ issuer = request.META.get('SSL_CLIENT_I_DN')
+
+ if not certdn:
+ try:
+ # mod_python is a little off...
+ # SSL info is in request._req
+ # Need to try/except because _req is
+ # not defined in WSGI request.
+ certdn = request._req.ssl_var_lookup ('SSL_CLIENT_S_DN')
+ issuer = request._req.ssl_var_lookup ('SSL_CLIENT_I_DN')
+ pass
+ except:
+ pass
+
+ if certdn and certdn.startswith(issuer):
+ # proxy.
+ # Proxies can be signed by proxies.
+ # Each level of "proxification" causes the subject
+ # to have a '/CN=[0-9]+ appended to the signers subject.
+ # These must be removed to discover the original identity's
+ # subject DN.
+ issuer = proxyPattern.match(issuer).group(1)
+ queryResult = User.objects.filter(dn=issuer)
+ elif certdn:
+ # cert in browser.
+ queryResult = User.objects.filter(dn=certdn)
if queryResult:
ligouser = queryResult[0]
diff --git a/settings/default.py b/settings/default.py
index e04ba7691cf1fc51c5023f78889eab9c67f16bd4..a1e892b5968825507f9c66135955d0f3223c6897 100644
--- a/settings/default.py
+++ b/settings/default.py
@@ -161,18 +161,23 @@ TEMPLATE_CONTEXT_PROCESSORS = (
)
AUTHENTICATION_BACKENDS = (
- 'django.contrib.auth.backends.ModelBackend',
'gracedb.middleware.auth.LigoAuthBackend',
+ 'ligodjangoauth.LigoShibbolethAuthBackend',
+ 'django.contrib.auth.backends.ModelBackend',
)
+SHIB_AUTHENTICATION_SESSION_INITIATOR = 'https://moe.phys.uwm.edu/Shibboleth.sso/Login'
+
MIDDLEWARE_CLASSES = [
'middleware.accept.AcceptMiddleware',
- 'gracedb.middleware.auth.LigoAuthMiddleware',
'middleware.cli.CliExceptionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
- 'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
+ 'django.contrib.auth.middleware.AuthenticationMiddleware',
+ 'ligodjangoauth.LigoShibbolethMiddleware',
+ 'gracedb.middleware.auth.LigoAuthMiddleware',
+ 'django.contrib.auth.middleware.AuthenticationMiddleware',
]
ROOT_URLCONF = 'urls'