[Web-SIG] Communicating authenticated user information
Jim Fulton
jim at zope.com
Sun Jan 22 22:31:01 CET 2006
Ian Bicking wrote:
> Jim Fulton wrote:
>
>> Typically, web servers provide access logs that include a label
>> for the authenticated user.
>>
>> Often, WSGI applications (or middleware) provide their own user
>> authentication facilities. Well, Zope does. :)
>>
>> There doesn't seem to be a standard way for WSGI applications or
>> middleware to communicate the information necessary for a server
>> to log the authenticated user back to the server.
>>
>> Am I missing something? How do other people handle this?
>>
>> Is Zope the only WSGI application that performs authentication
>> itself?
>
>
> I do the authentication in my apps,
Cool.
> but I am sloppy and do not record it
> ;) Well, that's not completely true. In the rough access logger in
> Paste (http://pythonpaste.org/paste/translogger.py.html?f=8&l=80#8) I
> include environ['REMOTE_USER'] if it is present. So if the WSGI environ
> that the middleware sees initially is the same environ that the
> authenticator writes too, then the middleware will see that change on
> the way out and include it. Using a header would solve the problem
> where the environment is completely changed (unlikely), or copied before
> REMOTE_USER is assigned (fairly likely).
>
> I can imagine a convention of X-WSGI-Authenticated, where X-WSGI-* gets
> stripped by the server,
Works for me.
> and any middleware that is interested can watch
> for these headers. Another option is a callback, but potentially
> multiple middleware's will be interested (multiple logs isn't hard to
> imagine), and that complicates the callback.
I think just scribbling a value into the env or headers is fine.
JIm
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Web-SIG
mailing list