1

I am developing REST api with django rest framework. In my view, I have set permission classes as permission.IsAuthenticated. It is working with HTTP but I get 403 forbidden with HTTPS.

I am testing with Chrome Advance Rest Client, using the Basic Authentication. The url I test with is:

https://username:password@example.com/product/list

HTTP Request Header:

GET /product/list/ HTTP/1.1
HOST: example.com
authorization: Basic Z29kZW5taWxlOnBhc3N3b3JkMTIzIQ==

HTTP Response Header:

Date: Tue, 22 Nov 2016 08:09:31 GMT
Server: Apache/2.4.10 (Debian)
Allow: GET, POST, HEAD, OPTIONS
X-Frame-Options: SAMEORIGIN
Vary: Accept,Cookie
Content-Length: 58
Content-Type: application/json

On the Advance Rest Client, I got 1 redirect:

To: /product/list/ with status 301 Moved Permanently
Date: Tue, 22 Nov 2016 08:16:47 GMT
Server: Apache/2.4.10 (Debian)
Location: /product/list/
Content-Length: 0
Content-Type: text/html; charset=utf-8

view.py

class ProductList(generics.ListCreateAPIView):
    queryset = Product.objects.all()
    serializer_class = ProductSerializer
    permission_classes = (permissions.IsAuthenticated,)

    def perform_create(self, serializer):
        serializer.save(...)

in my apache config settings, i redirect http to https:

<VirtualHost *:80>
    ServerName example.com
    ServerAdmin webmaster@localhost

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # This is optional, in case you want to redirect people
    # from http to https automatically.
    RewriteEngine On
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
        WSGIDaemonProcess example python-path=/var/www/html/example:/home/admin/project/example/virtualenv/env3.4/lib/python3.4/site-packages python-home=/home/admin/project/example/virtualenv/env3.4
        WSGIProcessGroup example
        WSGIScriptAlias / /var/www/html/example/example/wsgi.py

        ServerAdmin webmaster@localhost
        ServerName example.com
        ServerAlias www.example.com

        Alias /static /var/www/html/example/static/
        <Directory /var/www/html/example/static>
                Require all granted
        </Directory>

        <Directory /var/www/html/example/example>
                <Files wsgi.py>
                        #Allow from all
                        Order deny,allow
                        Allow from all
                        Require all granted
                </Files>
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
Header always set Strict-Transport-Security "max-age=0"
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
chrizonline
  • 4,779
  • 17
  • 62
  • 102
  • If you are using HTTP Basic authentication, you need to set ``WSGIPassAuthorization On`` in mod_wsgi configuration to have it pass through credentials to your WSGI application. – Graham Dumpleton Nov 22 '16 at 09:03
  • Hi, I have placed it within ... but it doesnt work. Am I doing it correctly? – chrizonline Nov 22 '16 at 09:10
  • 1
    Putting it in that context should work. BTW, you don't need the ``Order`` and ``Allow`` directives as ``Require all granted`` is the Apache 2.4 way of doing those. Shouldn't have both old and new way. – Graham Dumpleton Nov 22 '16 at 09:15
  • 1
    You also don't need the ``site-packages`` path in ``python-path`` as the ``python-home`` option you have replaces that, with ``python-home`` being the preferred way of specifying the virtual environment location. – Graham Dumpleton Nov 22 '16 at 09:17
  • tks @GrahamDumpleton.. sorry for the late reply. i thought i replied – chrizonline Dec 14 '16 at 16:10

0 Answers0