Re: [Zope3-Users] Pluggable authentication, a newbie's question
Stephan Richter пишет: On Sunday 28 January 2007 11:44, Alexei Ustyuzhaninov wrote: This code is contained in the file mypackage/__init__.py, mypackage in turn is loaded via ZCML. This is bad form. You should have that code in another module. Both plugins and PAU are registered successfully and I can access them with queryUtility. But the authentication is carried through the standard mechanism and MyAuthenticatorPlugin isn't even called. There are a couple of things to be said here: * Pluggable Authentication was not developed to work well globally. I know I had to tweak it a (tiny) bit to make it work for base registries. * You should use the pluggable authentication utility from a site. You can do this via ZCML and baseregistries or adding it to the ZODB. You should look into configurator on how to do this programmatically. Packages to check out: z3c.baseregistry z3c.configurator I have looked a bit at the sources and make my own version of the publication class which (I think) makes the authentication to work as I want. Here is my implementation: overrides.zcml -- http://namespaces.zope.org/zope"; xmlns:browser="http://namespaces.zope.org/browser";> MyAuthentication.py --- from zope import interface from zope.component import provideUtility from zope.app.authentication import interfaces from zope.app.authentication.interfaces import\ ICredentialsPlugin, IAuthenticatorPlugin, IPrincipalInfo from zope.app.authentication import PluggableAuthentication from zope.app.authentication.httpplugins import HTTPBasicAuthCredentialsPlugin class PrincipalInfo(object): interface.implements(interfaces.IPrincipalInfo) def __init__(self, id, title, description): self.id = id self.title = title self.description = description class CascadeAuthenticatorPlugin(object): interface.implements(interfaces.IAuthenticatorPlugin) def authenticateCredentials(self, credentials): if credentials is None: return None params = my_authentication(credentials) if params is None return None else: return PrincipalInfo(*params) provideUtility(HTTPBasicAuthCredentialsPlugin(), ICredentialsPlugin,\ name='My Credentials Plugin') provideUtility(CascadeAuthenticatorPlugin(), IAuthenticatorPlugin, name='My Authenticator Plugin') pau=PluggableAuthentication('') pau.credentialsPlugins=('My Credentials Plugin',) pau.authenticatorPlugins=('My Authenticator Plugin',) MyPublication.py import transaction from zope.app.publication.browser import BrowserPublication from zope.app.publication.requestpublicationfactories import\ BrowserFactory from zope.app.security.principalregistry import\ principalRegistry as prin_reg from zope.security.management import newInteraction from Authentication import pau class MyPublication(BrowserPublication): def beforeTraversal(self, request): #p = prin_reg.authenticate(request) p = pau.authenticate(request) if p is None: p = prin_reg.unauthenticatedPrincipal() if p is None: raise Unauthorized # If there's no default principal request.setPrincipal(p) newInteraction(request) transaction.begin() def _maybePlacefullyAuthenticate(self, request, ob): "" class MyBrowserFactory(BrowserFactory): def __call__(self): request_class, orig_publ=super(CascadeBrowserFactory, self).__call__() return request_class, MyPublication I'm new to zope3, so could you estimate how well this approach corresponds to the zope architecture. -- Alexei ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Pluggable authentication, a newbie's question
On Monday 29 January 2007 16:06, David Johnson wrote: > > Aha, seems that I see where is my problem. I didn't manage site > > through ZMI. Is it possible to do this manipulation programmatically? > > That I don't know. Probably. Why you would want to is another > question. There is a lot of motivation for doing it this way. Alexei stated one in his response. During development you also want to throw databases away frequently. To set up everything in the ZODB by hand again is just totally lame. A lemma to this is that we always generate sample data for our applications (via z3c.sampledata or now z3c.configurator) so that we can test the application better. We use the sample data for manual and automated testing. It would be unpractical to do it by hand then. Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Pluggable authentication, a newbie's question
On Monday 29 January 2007 11:30, Alexei Ustyuzhaninov wrote: > Aha, seems that I see where is my problem. I didn't manage site through > ZMI. Is it possible to do this manipulation programmatically? Yes, we do it only this way. The site management API is very easy. See IComponents. Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Pluggable authentication, a newbie's question
On Sunday 28 January 2007 11:44, Alexei Ustyuzhaninov wrote: > This code is contained in the file mypackage/__init__.py, mypackage in > turn is loaded via ZCML. This is bad form. You should have that code in another module. > Both plugins and PAU are registered > successfully and I can access them with queryUtility. But the > authentication is carried through the standard mechanism and > MyAuthenticatorPlugin isn't even called. There are a couple of things to be said here: * Pluggable Authentication was not developed to work well globally. I know I had to tweak it a (tiny) bit to make it work for base registries. * You should use the pluggable authentication utility from a site. You can do this via ZCML and baseregistries or adding it to the ZODB. You should look into configurator on how to do this programmatically. Packages to check out: z3c.baseregistry z3c.configurator Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Pluggable authentication, a newbie's question
David Johnson пишет: On Jan 29, 2007, at 5:30 PM, Alexei Ustyuzhaninov wrote: David Johnson пишет: What do you mean by "Your authenticator is registered as a Plugin in a PAU in your current site"? I registered the authenticator as a utility and assigned the utility name to the authenticatorPlugins attribute of the PAU. Is it enough? I'm not sure I follow you here. Normally when you create a custom authenticator you first go into Manage Site add a Pluggable Auth Utility (PAU). Then from within the PAU there are plugins. You can add your custom plugin here. Then you select a credentials plugin and your authenticator plugin. I'm not an expert by any means on PAU, but it seems this is the preferred approach. The authenticators I've written implemented the following: implements(AuthenticatorPlugin,IQueriableAuthenticator,IQuerySchemaSearch) Aha, seems that I see where is my problem. I didn't manage site through ZMI. Is it possible to do this manipulation programmatically? That I don't know. Probably. Why you would want to is another question. Well, I'm going to be able to deploy the package without using ZMI. That's why I'm seeking for a programmatic solution. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Pluggable authentication, a newbie's question
On Jan 29, 2007, at 5:30 PM, Alexei Ustyuzhaninov wrote: David Johnson пишет: What do you mean by "Your authenticator is registered as a Plugin in a PAU in your current site"? I registered the authenticator as a utility and assigned the utility name to the authenticatorPlugins attribute of the PAU. Is it enough? I'm not sure I follow you here. Normally when you create a custom authenticator you first go into Manage Site add a Pluggable Auth Utility (PAU). Then from within the PAU there are plugins. You can add your custom plugin here. Then you select a credentials plugin and your authenticator plugin. I'm not an expert by any means on PAU, but it seems this is the preferred approach. The authenticators I've written implemented the following: implements (AuthenticatorPlugin,IQueriableAuthenticator,IQuerySchemaSearch) Aha, seems that I see where is my problem. I didn't manage site through ZMI. Is it possible to do this manipulation programmatically? That I don't know. Probably. Why you would want to is another question. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Pluggable authentication, a newbie's question
David Johnson пишет: What do you mean by "Your authenticator is registered as a Plugin in a PAU in your current site"? I registered the authenticator as a utility and assigned the utility name to the authenticatorPlugins attribute of the PAU. Is it enough? I'm not sure I follow you here. Normally when you create a custom authenticator you first go into Manage Site add a Pluggable Auth Utility (PAU). Then from within the PAU there are plugins. You can add your custom plugin here. Then you select a credentials plugin and your authenticator plugin. I'm not an expert by any means on PAU, but it seems this is the preferred approach. The authenticators I've written implemented the following: implements(AuthenticatorPlugin,IQueriableAuthenticator,IQuerySchemaSearch) Aha, seems that I see where is my problem. I didn't manage site through ZMI. Is it possible to do this manipulation programmatically? ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Pluggable authentication, a newbie's question
What do you mean by "Your authenticator is registered as a Plugin in a PAU in your current site"? I registered the authenticator as a utility and assigned the utility name to the authenticatorPlugins attribute of the PAU. Is it enough? I'm not sure I follow you here. Normally when you create a custom authenticator you first go into Manage Site add a Pluggable Auth Utility (PAU). Then from within the PAU there are plugins. You can add your custom plugin here. Then you select a credentials plugin and your authenticator plugin. I'm not an expert by any means on PAU, but it seems this is the preferred approach. The authenticators I've written implemented the following: implements (AuthenticatorPlugin,IQueriableAuthenticator,IQuerySchemaSearch) ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Pluggable authentication, a newbie's question
Hi, David! Thank you for the help. David Johnson пишет: I'll try. Your authenticator is registered as a Plugin in a PAU in your current site? I'm not sure the cause without more details, but when I see this happen I've usually neglected one of the following: What do you mean by "Your authenticator is registered as a Plugin in a PAU in your current site"? I registered the authenticator as a utility and assigned the utility name to the authenticatorPlugins attribute of the PAU. Is it enough? 1. The credentials plugin is not selected and added. 2. The authenticator plugin is not selected and added. I think the plugins were selected and added as well as the PAU. I could access them with the queryUtility method later. 3. No permissions have been granted to the user, so even though the user is valid, they don't have permissions to do anything and so another authentication is being called as a backup. This is easy enough to debug by putting print statements at strategic points in your plugin and see if and when they show up in the Zope log. Yes, I do debugging the same way. And the print statement at the first line of the authenticator printed nothing. So I think the authenticator wasn't called at all. The PAU stuff has changed a lot over the history of Zope 3, so I've also found it to happen when using outdated methods such as the ones in Phillips first edition (which have since been updated to reflect the latest methods - thanks Phillip). -- David On Jan 28, 2007, at 5:44 PM, Alexei Ustyuzhaninov wrote: Hello, I try to create a plugin, which could authenticate users against an external database. Here is the code: from zope.component import provideUtility from zope.app.authentication import PluggableAuthentication from zope.app.authentication.interfaces import\ ICredentialsPlugin, IAuthenticatorPlugin from zope.app.authentication.session import SessionCredentialsPlugin from zope.app.security.interfaces import IAuthentication from mypackage.Authentication import MyAuthenticatorPlugin provideUtility(SessionCredentialsPlugin(), ICredentialsPlugin,\ 'My Credentials Plugin') provideUtility(MyAuthenticatorPlugin(), IAuthenticatorPlugin, 'My Authenticator Plugin') pau=PluggableAuthentication('my_') pau.credentialsPlugins=('Cascade Credentials Plugin', ) pau.authenticatorPlugins=('Cascade Authenticator Plugin', ) provideUtility(pau, IAuthentication, 'My Pluggable-Authentication Utility' This code is contained in the file mypackage/__init__.py, mypackage in turn is loaded via ZCML. Both plugins and PAU are registered successfully and I can access them with queryUtility. But the authentication is carried through the standard mechanism and MyAuthenticatorPlugin isn't even called. Could any good soul help me with this case? --Thanks, Alexei ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Pluggable authentication, a newbie's question
I'll try. Your authenticator is registered as a Plugin in a PAU in your current site? I'm not sure the cause without more details, but when I see this happen I've usually neglected one of the following: 1. The credentials plugin is not selected and added. 2. The authenticator plugin is not selected and added. 3. No permissions have been granted to the user, so even though the user is valid, they don't have permissions to do anything and so another authentication is being called as a backup. This is easy enough to debug by putting print statements at strategic points in your plugin and see if and when they show up in the Zope log. The PAU stuff has changed a lot over the history of Zope 3, so I've also found it to happen when using outdated methods such as the ones in Phillips first edition (which have since been updated to reflect the latest methods - thanks Phillip). -- David On Jan 28, 2007, at 5:44 PM, Alexei Ustyuzhaninov wrote: Hello, I try to create a plugin, which could authenticate users against an external database. Here is the code: from zope.component import provideUtility from zope.app.authentication import PluggableAuthentication from zope.app.authentication.interfaces import\ ICredentialsPlugin, IAuthenticatorPlugin from zope.app.authentication.session import SessionCredentialsPlugin from zope.app.security.interfaces import IAuthentication from mypackage.Authentication import MyAuthenticatorPlugin provideUtility(SessionCredentialsPlugin(), ICredentialsPlugin,\ 'My Credentials Plugin') provideUtility(MyAuthenticatorPlugin(), IAuthenticatorPlugin, 'My Authenticator Plugin') pau=PluggableAuthentication('my_') pau.credentialsPlugins=('Cascade Credentials Plugin', ) pau.authenticatorPlugins=('Cascade Authenticator Plugin', ) provideUtility(pau, IAuthentication, 'My Pluggable-Authentication Utility' This code is contained in the file mypackage/__init__.py, mypackage in turn is loaded via ZCML. Both plugins and PAU are registered successfully and I can access them with queryUtility. But the authentication is carried through the standard mechanism and MyAuthenticatorPlugin isn't even called. Could any good soul help me with this case? -- Thanks, Alexei ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users