Protect the auth view with a shared secret
This commit is contained in:
parent
cb84936b6c
commit
603b4a8063
@ -27,6 +27,8 @@ setting_default('CAS_TICKET_TIMEOUT', 24*3600)
|
|||||||
setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True)
|
setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True)
|
||||||
setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False)
|
setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False)
|
||||||
|
|
||||||
|
setting_default('CAS_AUTH_SHARED_SECRET', '')
|
||||||
|
|
||||||
setting_default('CAS_SERVICE_TICKET_PREFIX', 'ST')
|
setting_default('CAS_SERVICE_TICKET_PREFIX', 'ST')
|
||||||
setting_default('CAS_PROXY_TICKET_PREFIX', 'PT')
|
setting_default('CAS_PROXY_TICKET_PREFIX', 'PT')
|
||||||
setting_default('CAS_PROXY_GRANTING_TICKET_PREFIX', 'PGT')
|
setting_default('CAS_PROXY_GRANTING_TICKET_PREFIX', 'PGT')
|
||||||
|
@ -294,9 +294,13 @@ class Auth(View):
|
|||||||
username = request.POST.get('username')
|
username = request.POST.get('username')
|
||||||
password = request.POST.get('password')
|
password = request.POST.get('password')
|
||||||
service = request.POST.get('service')
|
service = request.POST.get('service')
|
||||||
|
secret = request.POST.get('secret')
|
||||||
|
|
||||||
|
if not settings.CAS_AUTH_SHARED_SECRET:
|
||||||
|
return HttpResponse("no\nplease set CAS_AUTH_SHARED_SECRET", content_type="text/plain")
|
||||||
|
if secret != settings.CAS_AUTH_SHARED_SECRET:
|
||||||
|
return HttpResponse("no\n", content_type="text/plain")
|
||||||
if not username or not password or not service:
|
if not username or not password or not service:
|
||||||
print "not username or service or password"
|
|
||||||
return HttpResponse("no\n", content_type="text/plain")
|
return HttpResponse("no\n", content_type="text/plain")
|
||||||
form = forms.UserCredential(
|
form = forms.UserCredential(
|
||||||
request.POST,
|
request.POST,
|
||||||
|
Loading…
Reference in New Issue
Block a user