Hello. Sorry about the delay.
On Thursday November 27, 2008 11:40:29 Joost wrote: > I now see that SQLAuthenticatorPlugin doesn't actually set identity > ['user'], it's (only) used to obtain the the userid when the user > isn't pre-authenticated. Setting identity['user'] is done in > repoze.what.plugins.sql.SqlGroupsAdaptor based on the the userid. Right. > That > means I only need to write an identifier with access to the database > to obtain the userid based on either the public or secure tickets and > hook it up in middleware.py. I'm impressed by how well factored this > system is! It takes some time to get your head around but it's > definitely the most flexible auth/authorisation system I have seen. Yeah, but the bad thing is that it introduces a whole new parallel language (group sources, permission sources, identifiers, metadata providers, "sections", "items", etc) which may be confusing at first :( But fortunately TG2 deals with such things for us by default ;-) > > How do you authenticate the user on both sites? The user logs in the > > secure site, then she's redirected to the "insecure" one for it to set a > > session cookie and then redirect her back to the secure site? If so, one > > solution may be to have an authenticator in the secure site which > > redirects the user to the insecure site if authentication succeeds and > > then an identifier in the "insecure" site sets its own cookie and > > redirects the user back to the secure site. > > Authentication is only done on the ssl side of the site, yet > identification is done on both sides. Non of the public pages require > the user to be authenticated and the identification is only used for > things that don't compromise the privacy of the user. Technically > identification is implemented as checking if the current connection is > secure and matching either the secure of public ticket against the > db. > > When identification fails and the page requires the user the to be > authenticated control is transferred to a 'login_handler'. This > login_handler intercepts the current request and presents the user > with a login form. On postback the handler verifies the username/ > password combination, sets the two cookies with random tickets which > are also stored in the db, and peforms a redirect to the same page. > Login and auth are all happen at the original url. There is no need to > redirect between the http and https site to set both cookies. > > The only difference with a 'normal' cookie based login system is that > there are two separate tickets for the secure and public site. As I > understand it correctly I only have to write a custom IdentifierPlugin > to make this work with TG2, which is great! Yes, I slightly misread your first post, so fortunately it's simpler than I thought. :) So I'd recommend you upgrade to the latest TG2 trunk and also build the latest TG2 docs because it'll be *much* easier for you to achieve this. Once you've built the docs, go to the Auth section and then on to how to customize authentication; there you will learn how to add secondary r.who identifiers or replace the main one very easily. > > Having a single TG2 application serving two different websites (one under > > http and the other under https) with a common authentication working on > > both sites is not very common, so you'll have to stop TG from configuring > > auth for you [1] and then configure it yourself to customize repoze.who > > as you need through repoze.what [2] (using setup_auth() so that you can > > add the special identifier and authenticators). > > Thanks for pointing me into the right direction. I was looking for > entry-points to hookup the plugin into the TG config, which isn't > necessary :) Right. Don't hesitate to come back if you get stuck! ;-) Cheers. -- Gustavo Narea <http://gustavonarea.net/>. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
