[Web-SIG] Communicating authenticated user information
Stephan Richter
srichter at cosmos.phy.tufts.edu
Mon Jan 23 02:39:49 CET 2006
On Sunday 22 January 2006 11:34, Phillip J. Eby wrote:
> >Is Zope the only WSGI application that performs authentication
> >itself?
>
> I think Zope is the only WSGI application that cares about communicating
> this information back to the web server's logs. :) Or at least, the only
> one whose author has said so. :)
Well, I originally worked with Itamar and James on the Twisted integration
into Zope 3, when we noticed this problem.
> Perhaps an "X-Authenticated-User: foo" header could be added in a future
> spec version? (And as an optional feature in the current PEP.) This seems
> a simpler way to incorporate the feature than adding an extension API to
> environ.
We considered and even implemented originally suggestions you made, but
considered it a security problem and dismissed it. And a "convention" is not
really a viable solution either, since it defeats the point of a non-specific
API, like WSGI.
We thought about the problem quiet a bit and decided that the user is really
the only thing that the log really has to know from the application. So a
simple callback that expects a simple string would be just fine.
Regards,
Stephan
--
Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training
More information about the Web-SIG
mailing list