Django uses intermediate key to realize csrf authentication
- 2021-07-24 11:12:13
- OfStack
Principle of csrf Authentication Implementation in Django
Call the process_view method
Check whether the view is @ csrf_exempt (exempt from csrf certification)
-Get token from request body or cookie
Case 1 (the whole station uses csrf authentication, but some do not want to use csrf authentication)
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware', # Whole station use csrf Certification
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]I can do this if I want a request not to pass csrf authentication
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt # This function does not require authentication
def users(request):
user_list = ['alex','oldboy']
return HttpResponse(json.dumps((user_list)))
Case 2 (the whole station does not use csrf authentication, but some want to use csrf authentication)
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
#'django.middleware.csrf.CsrfViewMiddleware', # The whole station is not used csrf Certification
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]I can do this if I want a request to use csrf authentication
from django.views.decorators.csrf import csrf_exempt,csrf_protect
@csrf_protect # This function requires authentication
def users(request):
user_list = ['alex','oldboy']
return HttpResponse(json.dumps((user_list)))
Little knowledge of CBV, required for csrf
- @method_decorator(csrf_exempt)
-In dispatch method (stand-alone method is not valid)
Mode 1
from django.views.decorators.csrf import csrf_exempt,csrf_protect
from django.utils.decorators import method_decorator
class StudentsView(View):
@method_decorator(csrf_exempt)
def dispatch(self, request, *args, **kwargs):
return super(StudentsView,self).dispatch(request, *args, **kwargs)
def get(self,request,*args,**kwargs):
print('get Method ')
return HttpResponse('GET')
def post(self, request, *args, **kwargs):
return HttpResponse('POST')
def put(self, request, *args, **kwargs):
return HttpResponse('PUT')
def delete(self, request, *args, **kwargs):
return HttpResponse('DELETE')
Mode 2
from django.views.decorators.csrf import csrf_exempt,csrf_protect
from django.utils.decorators import method_decorator
@method_decorator(csrf_exempt,name='dispatch')
class StudentsView(View):
def get(self,request,*args,**kwargs):
print('get Method ')
return HttpResponse('GET')
def post(self, request, *args, **kwargs):
return HttpResponse('POST')
def put(self, request, *args, **kwargs):
return HttpResponse('PUT')
def delete(self, request, *args, **kwargs):
return HttpResponse('DELETE')
Summary:
Extension: