[Web-SIG] Communicating authenticated user information
Ian Bicking
ianb at colorstudy.com
Sun Jan 22 22:24:52 CET 2006
Jim Fulton wrote:
> Typically, web servers provide access logs that include a label
> for the authenticated user.
>
> Often, WSGI applications (or middleware) provide their own user
> authentication facilities. Well, Zope does. :)
>
> There doesn't seem to be a standard way for WSGI applications or
> middleware to communicate the information necessary for a server
> to log the authenticated user back to the server.
>
> Am I missing something? How do other people handle this?
>
> Is Zope the only WSGI application that performs authentication
> itself?
I do the authentication in my apps, but I am sloppy and do not record it
;) Well, that's not completely true. In the rough access logger in
Paste (http://pythonpaste.org/paste/translogger.py.html?f=8&l=80#8) I
include environ['REMOTE_USER'] if it is present. So if the WSGI environ
that the middleware sees initially is the same environ that the
authenticator writes too, then the middleware will see that change on
the way out and include it. Using a header would solve the problem
where the environment is completely changed (unlikely), or copied before
REMOTE_USER is assigned (fairly likely).
I can imagine a convention of X-WSGI-Authenticated, where X-WSGI-* gets
stripped by the server, and any middleware that is interested can watch
for these headers. Another option is a callback, but potentially
multiple middleware's will be interested (multiple logs isn't hard to
imagine), and that complicates the callback.
--
Ian Bicking | ianb at colorstudy.com | http://blog.ianbicking.org
More information about the Web-SIG
mailing list