Jim Fulton wrote: > Typically, web servers provide access logs that include a label > for the authenticated user. > > Often, WSGI applications (or middleware) provide their own user > authentication facilities. Well, Zope does. :) > > There doesn't seem to be a standard way for WSGI applications or > middleware to communicate the information necessary for a server > to log the authenticated user back to the server. > > Am I missing something? How do other people handle this? > > Is Zope the only WSGI application that performs authentication > itself?
I do the authentication in my apps, but I am sloppy and do not record it ;) Well, that's not completely true. In the rough access logger in Paste (http://pythonpaste.org/paste/translogger.py.html?f=8&l=80#8) I include environ['REMOTE_USER'] if it is present. So if the WSGI environ that the middleware sees initially is the same environ that the authenticator writes too, then the middleware will see that change on the way out and include it. Using a header would solve the problem where the environment is completely changed (unlikely), or copied before REMOTE_USER is assigned (fairly likely). I can imagine a convention of X-WSGI-Authenticated, where X-WSGI-* gets stripped by the server, and any middleware that is interested can watch for these headers. Another option is a callback, but potentially multiple middleware's will be interested (multiple logs isn't hard to imagine), and that complicates the callback. -- Ian Bicking | [EMAIL PROTECTED] | http://blog.ianbicking.org _______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
