Dalius Dobravolskas wrote:
> Ian Bicking wrote:
>> Some time ago I wrote this up as a proposal for the basic way
>> authentication can work in WSGI:
>> http://wsgi.org/wsgi/Specifications/simple_authentication
>>
>> I think most of the systems work pretty much like this, but I don't know
>> for sure.
>>
>
> Ian, that's exactly what I want :-) And your specification is almost
> perfect. Some notes:
>
> 1. AuthKit authorization throws httpexception with code 401
>
> That's why you should handle exception in authentication side before
> (matter of one line):
>
> app = HTTPExceptionHandler(app)
>
> Example middleware:
> http://hg.sandbox.lt/authform-middleware/file/2be2aba0a1b7/authform_middleware/authform.py
Generally you shouldn't throw expected exceptions outside of your
application. So HTTPExceptionHandler should be wrapping your
controllers directly, and should translate any HTTPAuthorizationRequired
exceptions into proper 401 responses. I don't think the auth middleware
should wrap these itself.
> 2. I think we should agree that user data if there is some data arriving
> with authentication should be put into REMOTE_USER_DATA env. variable.
> E.g. some SREG data comes with OpenID authentication and I put it into
> dict converted to string ('{"nickname": "dalius"}') and later eval it so
> it could be used. I'm not sure if data string must be agreed (e.g.
> nickname, locale and etc) or leave that for authentication
> plugin/middleware author to fix.
evaling is generally a bad idea. You could consider it JSON or some
more limited serialization of data. Or put it in, say,
environ['x-wsgiorg.user_data'], a real dictionary. If you want to move
that data over HTTP you have to serialize it to some header, but that
might be best to consider separately.
> 3. It might be possible that pylons will handle error 401 properly even
> without WWW-Authenticate header.
Pylons doesn't really care about WWW-Authenticate. But the HTTP spec
says that header is required with 401 responses.
It might be helpful with some cases where you really do want multiple
logins on a site, or where you don't want to clobber the login system
that some application might provide. An example where you have to be
trickier about logins is WebDAV -- they are in theory just web requests,
but the authentication available is more limited, and there are client
quirks you may want to work around.
Generally it's a somewhat open issue how to deal with different kinds of
clients, e.g., browsers and other automated clients (WebDAV, REST calls,
etc).
Ian
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
