Document default Apache/mod_wsgi Authorization header behavior.

[qris]

EDIT by @tomchristie: Updated title from "Authorization doesn't work when using Apache/mod_wsgi by default"

mod_wsgi normally doesn't pass through the Authorization header:

Unlike other HTTP headers, the authorisation header is not passed through to a WSGI application by default. This is the case as doing so could leak information about passwords through to a WSGI application which should not be able to see them when Apache is performing authentication...

If it is desired that the WSGI application be responsible for handling user authentication, then it is necessary to explicitly configure mod_wsgi to pass the required headers through to the application. This can be done by specifying the WSGIPassAuthorization directive in the appropriate context and setting it to 'On'.

Thus Token authentication for example does not work unless you add the following to your Apache config:

WSGIPassAuthorization on

This is very confusing as the same application on the same server works fine when run using runserver, but fails in Apache. Please could you document this in the relevant Authorization chapters?

[lovelydinosaur]

Thanks for pointing that out Chris. If you'd consider issuing a pull req for the required documentation that'd be much appreciated. Obv the apache config should be cited as an example case as other users may be dealing with whatever nginx or lighthttpd config is required.

On 9 Dec 2012, at 23:13, Chris Wilson notifications@github.com wrote:

mod_wsgi normally doesn't pass through the Authorization header:

Unlike other HTTP headers, the authorisation header is not passed through to a WSGI application by default. This is the case as doing so could leak information about passwords through to a WSGI application which should not be able to see them when Apache is performing authentication...

If it is desired that the WSGI application be responsible for handling user authentication, then it is necessary to explicitly configure mod_wsgi to pass the required headers through to the application. This can be done by specifying the WSGIPassAuthorization directive in the appropriate context and setting it to 'On'.
Thus Token authentication for example does not work unless you add the following to your Apache config:

WSGIPassAuthorization on
This is very confusing as the same application on the same server works fine when run using runserver, but fails in Apache. Please could you document this in the relevant Authorization chapters?

—
Reply to this email directly or view it on GitHub.

[lovelydinosaur]

Updated title to better reflect the ticket.

[lovelydinosaur]

See also the following question on stack overflow

[nemesifier]

this ticket actually solved my issue..!

[lovelydinosaur]

Closed by #588.

[sethia]

This thread solved my issue as well! How can Django be so different in production and development!
Thanks

[Aadil-5122]

Also, I am using Nginx as my Proxy Server, how will I fix this there?