I've successfully setup a sample Flask app on Windows / IIS 10.0 using wfastcgi with Python 3.6 running under a Windows domain account.
Now I'm trying to pass the IIS Windows Authentication user information to my Flask app. I've enabled only Windows Authentication in IIS and my browser authenticates successfully.
How do I find out which user is accessing the site in WSGI? I've checked the environment variables and the HTTP headers without luck.
PHP seems to have a fastcgi.impersonate-Option, but there seems to be no pendant for Python.
You mentioned that you've checked the environment variables and the HTTP headers. If you checked the environment variables with os.environ.get['REMOTE-USER'] then you should receive an empty string because your Python instance is running locally on the server and is not remote. And unless you use something like ISAPI rewrite, IIS won't write the REMOTE-USER to the headers either.
The easiest solution is to check the environment variables that IIS explicitly passes to Flask:
from Flask import request
username = request.environ('REMOTE_USER')
Related
I have develop python flask application(REST API). Now I want to deploy this application on client system(Windows 10 Professional ). My client dont have any internet service.
Previously, I done in java that time I make a .war file and deployed in tomcat on client system. He was able to access REST API.
Now I want know any similar way to deploy python app on client system, on start system his able to access my REST API
use PyInstaller.
pip install pyinstaller
go to project dir
cd C:\Users\sandip\Desktop\MyPython
use
pyinstaller --onefile HelloFlask.py
If you just want to make your rest APIs accessible by other users in same network, you can simply do it without installing anything on client side by replacing the app.run() in your code to app.run(host= '0.0.0.0'). By default flask app runs on localhost, by changing it to latter causes it to run on your machines IP address, thus making it accessible by all the users under same network. You can read more on flask's documentation under the heading Externally Visible Server.
To deploy your app in production, you need a WSGI server, you can read about deployment of flask app here
I have task to create SSO (single sign-on) authorization in Python backend application with the help of Kerberos and Active Directory.
In other words, frontend application make AJAX GET request of the specific URL of the backend application. That backend application must return information about employee in JSON format.
What I have done so far:
1) SPN name for the backend application was created in Active Directory.
2) krb5.keytab file for the backend application was created.
3) Active Directory and Kerberos server located on remote Windows server.
4) Backend application would be in Linux Docker container.
5) I install Kerberos client to Docker container.
6) Kerberos Realm: SERVICE.LOCAL.
7) Hostname for the KDC Server: CS001, CS002, CS003.
Have you ever seen any implementations of the above process in Python? I will be grateful for any help.
You have 2 ways to handle this:
Handle it directly in Python
Handle it in a proxy such as apache or nginx
Pure Python Solution
If you don't have a proxy or just want to handle it in python anyway, I recommend using the python-gssapi library. Here's a code sample. There are other Python bindings but from my reading, this one seems to be the most complete.
Note, if you handle it this way, your python server will probably need to be able to respect the keep-alive header (i.e. re-use the same connection for multiple requests). This isn't strictly part of the SPENGO protocol, but most browsers seem to require that the server implements it.
Proxy Solution
If you're using apache, there's a mod_auth_kerb module you can use which is well documented. There's also a mod_auth_gssapi which provides similar functionality.
For nginx, there's a similar module available.
With any of these proxy solutions, the idea is that the proxy handles Kerberos auth, and sets the REMOTE_USER env variable for your python app. So your python app needs to be able to accept this variable as an authenticated user. Django has middleware specifically for that purpose - I'm not sure about Flask (I mention these 2 frameworks because they're in your question's tags).
I developed a python web app in flask and I'm trying to deploy it correctly on IIS.
Before i launch the app to production server I'm testing it on a VM.
All the steps i did:
Install IIS with CGI
With IIS installed, I download the web platform installer
I installed the WFastCGI for Python 3 (my version)
I configured the Handler Mappings and the CGI Settings to deploy my app, and is all fine.
The Website is all working, except one part. One of the functions of the website require execute a webdriver, in this case PhantomJS, with selenium python module.
The PhantomJS executable is on the root folder of the website:
PhantomJSPath = 'phantomjs/bin/phantomjs.exe'
But when i try to use declare the variable to select the webdriver his just don't run on IIS (when i open that specific page of that function it gives me a 500 ERROR, all the other pages work perfectly). The stupid thing is, when i execute by Flask development mode on port 5000 it just works perfectly.
browser = webdriver.PhantomJS(PhantomJSPath)
I tried a lot of stuff already like give all permissions to everyone on the web app folder and stuff like that. I think the problem is with IIS configuration or security settings.
I hope you can help me and all of the other people with the same issue ;) TY
Ok, i solved it. just configured the Website settings on IIS and Application pool to the specific path of the website, give all the permissions to the IIS user (IIS_USRS) and it works. Ty anyway!.
If you know any other ways to fix this issue just post. I Will mark if it works too.
Basically i'm looking for an alternative of https://github.com/einfallstoll/express-ntlm for Python/Tornado
I could just add node.js as another layer in the application but I'd rather not
A way to get the windows user of the client acessing a url
This will be used in a web app only available on a corporate network
When deploying on IIS with IIS handling Windows authentication, you can retrieve the remote user from the environment variables. This assumes you have Windows authentication enabled and configured.
Then you can simply get the variables out of the environment. As noted in the Microsoft documentation applicable environment variables include REMOTE_USER, AUTH_USER, LOGON_USER, and UNMAPPED_REMOTE_USER. Check the docs for specific usages.
In Python, these can be retrieved with os.environ
Tested this using IIS 7.5 running a simple script and was able to get the username with Python simply by os.environ.get("REMOTE_USER")
If you're using a proxy, the environment variable may be different, such as 'HTTP_X_PROXY_REMOTE_USER'. The server may also need to be configured to pass those environment variables along if that's the case.
express-ntlm is based on an Apache Python project that does the very same: https://github.com/Legrandin/PyAuthenNTLM2/
I've downloaded google_appengine version 1.3.1. Using some web tutorials, I've created basic django 1.1.1 application. Using appcfg I managed to deploy it on GAE and it works. The problem is, that application doesn't want to work on dev_appengine.py developement server.
Whenever I run the app GAE local server is returning HTTP 200 without any content. If I set basic environement and run main.py manually, then the page is properly returned on stdout.
I've also created very basic helloworld application, and this one is working ok on the devel server.
Do you have any idea, how can I debug the devel server? Option -d doesn't give any usefull insight at all.
I had module nammed same way as the default GAE launcher (main/ and main.py). After renaming the launcher everything works great.