[Twisted-web] HTTP-AUTH for web2 / Kudos on web2's operation
James Y Knight
foom at fuhm.net
Fri Nov 18 00:12:42 MST 2005
On Nov 17, 2005, at 8:17 AM, glyph at divmod.com wrote:
> Concretely: come to think of it I've never heard of a legitimate
> requirement other than "currently logged in user", which ought to
> be handled by another system anyway. As per CCE's previous emails,
> the system for initializing those and setting them up needs to be
> pretty flexible in terms of how and when login forms get displayed,
> but the use of cred is non-negotiable. We need a unifying cross-
> protocol abstraction.
Just some random thoughts on authentication. Userid information can
come into the app in a wide variety of ways: REMOTE_USER var from
*CGI, username from a verified SSL client certificate, HTTP
authentication headers, session data from a previously filled out
HTML login form, or something else completely. And no matter how I
figure out who the user is, it has to be passed through to the rest
of the site, including passing it on externally via *CGI outgoing
REQUEST_USER. This I can see being done via the same mechanism used
to include any other per-request data.
I find that operation to be conceptually separate from the operation
of "given an authenticated userid, give me his toplevel Resource".
Also completely separate is "gimme a new session". That current guard
merges all three together into one operation is where I've always had
trouble with it. Sometimes the three intersect, sometimes they don't,
it depends upon the application.
More information about the Twisted-web