Protect django apps from identity theft in less than 3 minutes

IEEE, Apple and Samsung are big brands that were recently victims of identity theft. But any company of any size can be victim of identity theft if their applications or data are exposed in the Internet. As company starts embracing Cloud services, you are outsourcing part of your datacenter in a virtual datacenter hosted in a provider, or you are storing part of your core data in an application hosted somewhere and this changes the way security has been conceived so far.

It doesn’t take much to protect your application from identity theft: by embracing SecurePass as a strong authentication and identity management you can protect your django/python application in less than 3 minutes.  I created a video to show how this is possible.

These are the steps to integrate your Django project into SecurePass:

1. You have to have a valid SecurePass account and working userid. If you don’t, open a free account on http://www.secure-pass.net/accounts/open/

2. You have to have an existing project in Django

3. Create a superuser account in your application that matches SecurePass userid, otherwise you won’t be able to access your admin panel anymore. Use the command:

python manage.py createsuperuser

4. Download django-cas from:
https://bitbucket.org/cpcc/django-cas

5. Unzip and move the django_cas directory in the root of your django project

6. Modify settings.py as follows:

6a. Append the CAS Server URL:

## CAS configuration
CAS_SERVER_URL = "https://login.secure-pass.net/cas/"

6b. Add ‘django_cas.middleware.CASMiddleware’ in MIDDLEWARE_CLASSES touple

6c. Add the following lines to act as authentication backends:

AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
'django_cas.backends.CASBackend',
)

6d. Optionally, add a line that specify the realms/domains that are allowed to access the application.

## Allowed realms
ALLOWED_REALMS = ('garl.ch', )

7. Add django-cas authentication in urls.py

(r'^accounts/login/$', 'django_cas.views.login'),
(r'^accounts/logout/$', 'django_cas.views.logout'),

This will also trap admin access requests that will be validated through CAS/SecurePass.

8. In the views.py:

8a. import the login_required decorator with:

from django.contrib.auth.decorators import login_required

8b. Add “@login_required” decorator to the methods you want to protect

8c. Optionally further protect your method access from the realms you trust with:

 if request.user.username.partition("@")[2].lower() not in settings.ALLOWED_REALMS:
     error = "<h1>Authorization denied</h1><p>You are not authorized to access this application.</p>"
     return HttpResponseForbidden(error)