Django框架中的用户认证的实现

jieforest

Changing passwords

manage.py changepassword *username* offers a method of changing a User's password from the command line. It prompts you to change the password of a given user which you must enter twice.

If they both match, the new password will be changed immediately. If you do not supply a user, the command will attempt to change the password whose username matches the current user.

You can also change a password programmatically, using set_password():

1. >>> from django.contrib.auth.models import User
   
2. >>> u = User.objects.get(username__exact='john')
   
3. >>> u.set_password('new password')
   
4. >>> u.save()

复制代码

jieforest

Don't set the password attribute directly unless you know what you're doing. This is explained in the next section.

How Django stores passwords

New in Django 1.4: Django 1.4 introduces a new flexible password storage system and uses PBKDF2 by default. Previous versions of Django used SHA1, and other algorithms couldn't be chosen.

The password attribute of a User object is a string in this format:

1. algorithm$hash

复制代码

jieforest

That's a storage algorithm, and hash, separated by the dollar-sign character. The algorithm is one of a number of one way hashing or password storage algorithms Django can use; see below. The hash is the result of the one- way function.

By default, Django uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. This should be sufficient for most users: it's quite secure, requiring massive amounts of computing time to break.

However, depending on your requirements, you may choose a different algorithm, or even use a custom algorithm to match your specific security situation. Again, most users shouldn't need to do this -- if you're not sure, you probably don't. If you do, please read on:

Django chooses the an algorithm by consulting the PASSWORD_HASHERS setting. This is a list of hashing algorithm classes that this Django installation supports. The first entry in this list (that is, settings.PASSWORD_HASHERS[0]) will be used to store passwords, and all the other entries are valid hashers that can be used to check existing passwords.

This means that if you want to use a different algorithm, you'll need to modify PASSWORD_HASHERS to list your preferred algorithm first in the list.

jieforest

The default for PASSWORD_HASHERS is:

1. PASSWORD_HASHERS = (
   
2.     'django.contrib.auth.hashers.PBKDF2PasswordHasher',
   
3.     'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
   
4.     'django.contrib.auth.hashers.BCryptPasswordHasher',
   
5.     'django.contrib.auth.hashers.SHA1PasswordHasher',
   
6.     'django.contrib.auth.hashers.MD5PasswordHasher',
   
7.     'django.contrib.auth.hashers.CryptPasswordHasher',
   
8. )
   

复制代码

This means that Django will use PBKDF2 to store all passwords, but will support checking passwords stored with PBKDF2SHA1, bcrypt, SHA1, etc. The next few sections describe a couple of common ways advanced users may want to modify this setting.

jieforest

Using bcrypt with Django

Bcrypt is a popular password storage algorithm that's specifically designed for long-term password storage. It's not the default used by Django since it requires the use of third-party libraries, but since many people may want to use it Django supports bcrypt with minimal effort.

To use Bcrypt as your default storage algorithm, do the following:

Install the py-bcrypt library (probably by running sudo pip install py-bcrypt, or downloading the library and installing it with python setup.py install).

Modify PASSWORD_HASHERS to list BCryptPasswordHasher first. That is, in your settings file, you'd put:

1. PASSWORD_HASHERS = (
   
2.     'django.contrib.auth.hashers.BCryptPasswordHasher',
   
3.     'django.contrib.auth.hashers.PBKDF2PasswordHasher',
   
4.     'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
   
5.     'django.contrib.auth.hashers.SHA1PasswordHasher',
   
6.     'django.contrib.auth.hashers.MD5PasswordHasher',
   
7.     'django.contrib.auth.hashers.CryptPasswordHasher',
   
8. )

复制代码

jieforest

(You need to keep the other entries in this list, or else Django won't be able to upgrade passwords; see below).

That's it -- now your Django install will use Bcrypt as the default storage algorithm.

Other bcrypt implementations

There are several other implementations that allow bcrypt to be used with Django. Django's bcrypt support is NOT directly compatible with these. To upgrade, you will need to modify the hashes in your database to be in the form bcrypt$(raw bcrypt output).

For example:

bcrypt$$2a$12$NT0I31Sa7ihGEWpka9ASYrEFkhuTNeBQ2xfZskIiiJeyFXhRgS.Sy.

jieforest

Increasing the work factor

The PBKDF2 and bcrypt algorithms use a number of iterations or rounds of hashing. This deliberately slows down attackers, making attacks against hashed passwords harder. However, as computing power increases, the number of iterations needs to be increased.

We've chosen a reasonable default (and will increase it with each release of Django), but you may wish to tune it up or down, depending on your security needs and available processing power.

To do so, you'll subclass the appropriate algorithm and override the iterations parameters. For example, to increase the number of iterations used by the default PBKDF2 algorithm:

Create a subclass of django.contrib.auth.hashers.PBKDF2PasswordHasher:

1. from django.contrib.auth.hashers import PBKDF2PasswordHasher
   
2. 
   
3. class MyPBKDF2PasswordHasher(PBKDF2PasswordHasher):
   
4.     """
   
5.     A subclass of PBKDF2PasswordHasher that uses 100 times more iterations.
   
6.     """
   
7.     iterations = PBKDF2PasswordHasher.iterations * 100
   

复制代码

jieforest

Save this somewhere in your project. For example, you might put this in a file like myproject/hashers.py.

Add your new hasher as the first entry in PASSWORD_HASHERS:

1. PASSWORD_HASHERS = (
   
2.     'myproject.hashers.MyPBKDF2PasswordHasher',
   
3.     'django.contrib.auth.hashers.PBKDF2PasswordHasher',
   
4.     'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
   
5.     'django.contrib.auth.hashers.BCryptPasswordHasher',
   
6.     'django.contrib.auth.hashers.SHA1PasswordHasher',
   
7.     'django.contrib.auth.hashers.MD5PasswordHasher',
   
8.     'django.contrib.auth.hashers.CryptPasswordHasher',
   
9. )

复制代码

jieforest

That's it -- now your Django install will use more iterations when it stores passwords using PBKDF2.

Password upgrading

When users log in, if their passwords are stored with anything other than the preferred algorithm, Django will automatically upgrade the algorithm to the preferred one.

This means that old installs of Django will get automatically more secure as users log in, and it also means that you can switch to new (and better) storage algorithms as they get invented.

However, Django can only upgrade passwords that use algorithms mentioned in PASSWORD_HASHERS, so as you upgrade to new systems you should make sure never to remove entries from this list. If you do, users using un- mentioned algorithms won't be able to upgrade.

jieforest

Anonymous users

class models.AnonymousUser

django.contrib.auth.models.AnonymousUser is a class that implements the django.contrib.auth.models.User interface, with these differences:

1. id is always None.

2. is_staff and is_superuser are always False.

3. is_active is always False.

4. groups and user_permissions are always empty.

5. is_anonymous() returns True instead of False.

6. is_authenticated() returns False instead of True.

7. set_password(), check_password(), save(), delete(), set_groups() and set_permissions() raise NotImplementedError.

In practice, you probably won't need to use AnonymousUser objects on your own, but they're used by Web requests, as explained in the next section.