Authorization header missing in django rest_framework, is apache to blame?

apache apache2 authorization mod-proxy django-rest-framework
steve-gregory picture steve-gregory · Nov 14, 2012 · Viewed 22k times · Source

I've managed to extend TokenAuthentication and I have a working model when using the request session to store my tokens, however when I attempt to pass Authorization as a header parameter as described here, I noticed that my Responses come back without the META variable HTTP_AUTHORIZATION. I also noticed that if I pass "Authorization2" as a header parameter that it is visible in the request:

{
    '_content_type': '', 
    'accepted_media_type': 'application/json', 
    '_request': <WSGIRequest
        path:/api/test_auth/,
        GET:<QueryDict: {}>,
        POST:<QueryDict: {}>,
        COOKIES:{
            'MOD_AUTH_CAS_S': 'ba90237b5b6a15017f8ca1d5ef0b95c1',
            'csrftoken': 'VswgfoOGHQmbWpCXksGUycj94XlwBwMh',
            'sessionid': 'de1f3a8eee48730dd34f6b4d41caa210'
        },
        META:{
           'DOCUMENT_ROOT': '/etc/apache2/htdocs',
           'GATEWAY_INTERFACE': 'CGI/1.1',
           'HTTPS': '1',
           'HTTP_ACCEPT': '*/*',
           'HTTP_ACCEPT_CHARSET': 'ISO-8859-1,utf-8;q=0.7,*;q=0.3',
           'HTTP_ACCEPT_ENCODING': 'gzip,deflate,sdch',
           'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.8',
           'HTTP_AUTHORIZATION2': 'Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4c',
           ...

My first guess is that the authorization header is being removed by apache, and I have read a few S/O questions that state that apache will throw out the value if it does not match basic authorization and authenticate, but I have no idea how to allow the Authorization header to 'pass through' to Django and the WSGIRequest. Does anyone know how to solve this problem?

I also use mod_auth_cas and mod_proxy, if that changes anything..

Answer

Steven picture Steven · Sep 2, 2013

If you are using Apache and mod_wsgi, then I found the easy solution to this in the official Django REST framework website

Apache mod_wsgi specific configuration

Note that if deploying to Apache using mod_wsgi, the authorization header is not passed through to a WSGI application by default, as it is assumed that authentication will be handled by Apache, rather than at an application level.

If you are deploying to Apache, and using any non-session based authentication, you will need to explicitly configure mod_wsgi to pass the required headers through to the application. This can be done by specifying the WSGIPassAuthorization directive in the appropriate context and setting it to 'On'.

# this can go in either server config, virtual host, directory or .htaccess 
WSGIPassAuthorization On

Related questions

Only variable references should be returned by reference - Codeigniter

After the server PHP upgrade I am getting the following error with PHP Version 5.6.2 on Apache 2.0 A PHP Error was encountered Severity: Notice Message: Only variable references should be returned by reference Filename: core/Common.php Line Number: 257 How can …

Read More
Site does not exist error for a2ensite

I have cmsplus.dev under /etc/apache2/sites-available with the following code, <VirtualHost *:80> ServerAdmin [email protected] ServerName www.cmsplus.dev ServerAlias cmsplus.dev DocumentRoot /var/www/cmsplus.dev/public LogLevel warn ErrorLog /var/www/cmsplus.dev/log/…

Read More
Apache won't follow symlinks (403 Forbidden)

I'm having some trouble setting up Apache on Ubuntu. I've been following this guide. # /usr/sbin/apache2 -v Server version: Apache/2.2.17 (Ubuntu) Server built: Feb 22 2011 18:33:02 My public directory, /var/www, can successfully serve up and execute PHP pages that are …

Read More