[Web-SIG] Communicating authenticated user information
Alan Kennedy
pywebsig at xhaus.com
Sun Jan 22 18:45:34 CET 2006
[Jim Fulton]
>>>Is Zope the only WSGI application that performs authentication
>>>itself?
[Phillip J. Eby]
>>I think Zope is the only WSGI application that cares about
>> communicating this information back to the web server's logs. :)
[Jim Fulton]
> I hope that's not true. Certainly, if anyone else is doing
> authentication in their applications or middleware, they
> *should* care about getting information into the access logs.
Well, Apache records auth info in logs as well, and it seems like a
perfectly reasonable thing for a server to do .....
http://httpd.apache.org/docs/2.0/logs.html#accesslog
[Phillip J. Eby]
>> Perhaps an "X-Authenticated-User: foo" header could be added
>> in a future spec version? (And as an optional feature in the
>> current PEP.)
[Jim Fulton]
> Perhaps. Note that it should be clear that this is soley for use
> in the access log. There should be no assumption that this is
> a principal id or a login name. It is really just a label for the
> log. To make this clearer, I'd use something like:
> "X-Access-User-Label: foo".
Sending X-headers seems hacky, and results in unnecessary information
being transmitted back to the user (possibly revealing sensitive
information, or opening security holes?)
I think that the communication mechanism for auth information is
possibly best served by a simple convention between auth middleware
authors. Perhaps servers that are aware that auth middleware is in use
can put a callable into the WSGI environment, which auth middleware
calls when it has auth'ed the user?
[Phillip J. Eby]
> This seems a simpler way to incorporate the feature than adding
> an extension API to environ.
[Jim Fulton]
> Why is that? Isn't the env meant for communication between
> the WSGI layers? I'm not sure I'd want to send this information
> back to the browser.
I think an API could be very simple, and optional for servers that know
they won't be logging auth information.
I agree about not sending this information back to the user: it's
unnecessary and potentially dangerous.
Regards,
Alan Kennedy.
More information about the Web-SIG
mailing list