I have task to create SSO (single sign-on) authorization in Python backend application with the help of Kerberos and Active Directory.
In other words, frontend application make AJAX GET request of the specific URL of the backend application. That backend application must return information about employee in JSON format.
What I have done so far:
1) SPN name for the backend application was created in Active Directory.
2) krb5.keytab file for the backend application was created.
3) Active Directory and Kerberos server located on remote Windows server.
4) Backend application would be in Linux Docker container.
5) I install Kerberos client to Docker container.
6) Kerberos Realm: SERVICE.LOCAL.
7) Hostname for the KDC Server: CS001, CS002, CS003.
Have you ever seen any implementations of the above process in Python? I will be grateful for any help.
You have 2 ways to handle this:
Handle it directly in Python
Handle it in a proxy such as apache or nginx
Pure Python Solution
If you don't have a proxy or just want to handle it in python anyway, I recommend using the python-gssapi library. Here's a code sample. There are other Python bindings but from my reading, this one seems to be the most complete.
Note, if you handle it this way, your python server will probably need to be able to respect the keep-alive header (i.e. re-use the same connection for multiple requests). This isn't strictly part of the SPENGO protocol, but most browsers seem to require that the server implements it.
Proxy Solution
If you're using apache, there's a mod_auth_kerb module you can use which is well documented. There's also a mod_auth_gssapi which provides similar functionality.
For nginx, there's a similar module available.
With any of these proxy solutions, the idea is that the proxy handles Kerberos auth, and sets the REMOTE_USER env variable for your python app. So your python app needs to be able to accept this variable as an authenticated user. Django has middleware specifically for that purpose - I'm not sure about Flask (I mention these 2 frameworks because they're in your question's tags).
Related
Is there some way I could setup my architecture like this for my web application:
Backend - Django + DRF (Rest API)
Frontend - React
And on the backend setup a websocket Client to listen to an external websocket Server and then forward the data from the Client to a new Server that I will create. So in React I could listen to this websocket Server that I have created?
I tried implementing this in React to listen to an external websocket Server, but it just gave me headaches trying to use proxy to avoid CORS problems.
How should I approach this? Am I thinking straight here?
Hello Marcus C and welcome to StackOverflow!
Since you didn't post any code yourself I can't give you any concrete examples, but I can point you in the right direction. As you said yourself trying to use an external WebSockets server (such as Node.js with socket.io) is a pain. For this purpose the Django Channels library exists. It is really useful as it allows direct access to database and other Django-related stuff.
If you run Django in a Docker container, the best way to use Channels is to run two separate containers, one with say gunicorn or uWSGI servers for the synchronous part and another with Channels' recommended Daphne server for asynchronous part, both proxied by nginx. Standard (or rather common) way is to use /ws path prefix for the asynchronous endpoints.
I been using python to create an web app and it has been doing well so far. Now I would like to encrypt the transmission of the data between client and server using https. The communication is generally just post form and web pages, no money transactions are involve. Is there anything I need to change to the python code except setting the server up with certificate and configurate it to use https? I see a lot of information regarding ssl for python and I not sure if I need those modules and python setup to make https work.
Thanks
Typically, the ssl part for Python web app is managed by some frontend web server like nginx, apache or so.
This does not require any modification of your code (assuming, you are not expecting user to authenticate by ssl certificate on client side, what is quite exotic, but possible scenario).
If you want to run pure Python solution, I would recommend using cherrypy, which is able providing rather reliable and performant web server part (it will be very likely slower then served behind nginx or apache).
I have been looking at multiple sources and can't seem to get a good answer. I am trying to deploy a very simple app that displays information from a mongodb, accepts post data for input, uses SSL, and AD for Authentication.
I am using bottle with python 2.7, mongodb, on a windows 64-bit platform. I can switch to CentOS if that is completely necessary.
So far, none of the very few tutorials out there seem to work on my current configuration. Is what I'm asking for possible? Should I switch to a different framework?
tldr:
Can you run a bottle application with SSL and AD integration?
If not, what python framework would be nearly as easy and still have this functionality.
edit: I found this for flask. Could it work with bottle? Also, can it be done on windows?
There are definitely ways to accomplish your goal of having bottle use SSL + AD on windows.
SSL with bottle:
https://github.com/nickbabcock/bottle-ssl
http://dgtool.blogspot.com/2011/12/ssl-encryption-in-python-bottle.html
bottle on cherrypy server + ssl
python with AD (as well as information on windows specifically):
Authenticating against active directory using python + ldap
https://gist.github.com/ibeex/1288159
If you wanted to use session management for authentication you could pair the AD with bottle middleware such as beaker: bottle hooks with beaker session middleware and checking logins
Bottle itself does not have built in abilities to deal with SSL that I know of like flask. But the last SSL link above shows similar simple useability.
I run a WSGI application from within my Python file, using the make_server command.
(I don't know if this is a good practice or whether it is more common to setup Apache or nginx for this purpose.)
I want to make this little server secure by adding SSL support. Where do I start?
Is the built-in WSGI server from Python considered safe? I want the connection to be really secure. I only recently came across WSGI and I thought it was very easy to use, especially from within Python. The app is only used as a proxy so has little functionality, but I do want it to be as secure as possible.
Basically WSGI is just an interface for communication between a web-server software (e.i. nginx or httpd) and your python script/app which contains some code to process requests (usually either application callable or applications list of callables).
You need to enable SSL on the web-server layer. But if you don't want to involve external software you may follow #Demz's advice and try using eventlet.wrap_ssl. Please find more relevant information here.
I currently have Apache setup on my VPS and I'm wondering what would be the best way to handle Pylons development.
I have the directory structure with public_html in my home directory which includes separate website directories to which I map the IP to the DNS provided by my name registrar.
Is there a way to get paster running within a new directory (i.e. make an env/bin/paster) and run it to that?
If so then do I even need to get a new IP? Or would I be able to run both webservers in parallel on the same server without experiencing any conflicts?
I'm looking to convert all my new projects to Pylons.
It's usually more practical to develop first your application locally using pserve, the builtin HTTP server in Pyramid (it used to be paster before Pyramid 1.3 but pserve behaves similarly). This HTTP server comes quite handy when developing for debugging, but you don't usually expose your web application publicly with this server.
Once your application is ready to go public you should deploy your application on your server with another HTTP server like Apache. You can use WSGIScriptAlias if you have Apache with mod_wsgi, as it's documented in Pyramid, to map a subdirectory.
The official documentation explains also explains how you can have different subdirectories running different Pyramid instances with a virtual root.
If you really want to make your application accessible publicly with pserve, you can still use the urlmap composite functionality of PasteDeploy as explained in the documentation.
If your DNS are properly configured you don't need to mess with the IP.