Hello,
Thank you Gustavo for your reply.
I think i was trying to do this the hard way. Your last point was
very helpful:
> Finally, you should keep in mind that repoze.who won't work while you have
> Apache doing authentication.
Apache is doing just fine with authentication and I just need TG2 to
accept its
parameters. I didn't need to use repoze, but I needed my application
to set
request.identity based off of request.environ['REMOTE_USER'].
This is my working solution:
def getUser():
'''gets the user(tuple) or dies'''
if request.identity:
return request.identity
login = request.environ.get('REMOTE_USER','').lower()
if login:
return
model.DBSession.query(model.Users).filter_by(login=login).one
()
else:
raise Exception('could not find the correct user for %s'%login)
#call the error middel ware
def setUser(i):
request.identity = i
return i
class MyPredicate(object):
def check_authorization(self, envrion):
if request.identity:
return request.identity
return setUser(getUser())
and now all I do in my controllers:
class MyAdminController(AdminController):
allow_only = MyPredicate()
class Root(BaseController):
allow_only = MyPredicate()
admin = MyAdminController(model, DBSession)
This solution is wierd and does break some of the guide lines of
repoze.
(ie. throwing an exception on an invalid user) but it does the job. I
think
it might also authenticate some one twice, but that won't really
cause
any problems.
Thanks,
-Dave
On Jul 28, 8:16 am, Gustavo Narea <[email protected]> wrote:
> Hello, David.
>
> David said:
>
>
>
>
>
> > Hello,
> > I have an app that is going to be run behind apache using mod_wsgi.
> > In addition i have apache running http auth(via LDAP) and I can verify that
> > request.environ.get('REMOTE_USER') is being set.
> > Now I need to figure out how to get TG2 to set the identity.
> > I wrote an Identifier, as explained at
> >http://static.repoze.org/whodocs/narr.html#writing-an-identifier-plugin
> > class MyIdentifier(object):
> > def identify(self, environ):
> > login = request.environ.get('REMOTE_USER').lower()
> > if login:
> > u = model.Users.select_by(login=login).one()
> > #set tg2 env ??
> > else:
> > raise Exception('could not find the correct user for %s'%login)
> > def remember(self, envrion, identity):
> > pass
> > def forget(self, envrion, identity):
> > pass
>
> Identifiers do not authenticate; that's what authenticators do and there's an
> SQLAlchemy authenticator which is used by default in
> TG2:http://code.gustavonarea.net/repoze.who.plugins.sa/
>
> However, in the snippet above you don't do anything with the "login" variable;
> unless you meant to authenticate the user twice, which would be weird. If what
> you actually want is to load the user's SQLAlchemy object into the request,
> then you need a repoze.who SQLAlchemy metadata provider, and it's already
> available:http://code.gustavonarea.net/repoze.who.plugins.sa/
>
> (Just in case, repoze.who plugins shouldn't raise exceptions (except in their
> constructors) as they'll break the application, triggering the error
> middleware.)
>
> > My real question is how to "attach" this to TG2. I belive this lives
> > somewhere in myapp.config.app_cfg, but I am not sure how that works.
> >http://turbogears.org/2.0/docs/main/Auth/Authorization.html#how-turbo...
> >deals-with-repoze-what-internallyis a good resourse, but I just need this
> > last little bit.
>
> Here it
> is:http://turbogears.org/2.0/docs/main/Auth/Customization.html#customizing-
> authentication-settings
>
> In other words, all the attributes of "app_cfg.sa_auth" will be passed as
> keyword arguments to
> repoze.what.plugins.quickstart.setup_sql_auth():http://code.gustavonarea.net/repoze.what-quickstart/
>
> Finally, you should keep in mind that repoze.who won't work while you have
> Apache doing authentication. If you want to use any of its plugins, you have
> to let repoze.who handle authn. You may want to see
> this:http://code.gustavonarea.net/repoze.who.plugins.ldap/
>
> Good luck!
> --
> Gustavo Narea <xri://=Gustavo>.
> | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about |
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
