WebStack

docs/authenticators.html

732:7f1f02b485f8
2007-11-12 paulb [project @ 2007-11-12 00:50:03 by paulb] Introduced base classes for common authentication activities. Made cookie usage "safe" for usernames containing ":" characters. Added support for OpenID signatures.
     1 <?xml version="1.0" encoding="iso-8859-1"?>     2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">     3 <html xmlns="http://www.w3.org/1999/xhtml">     4 <head>     5   <title>Application-Wide Authenticators</title>     6   <link href="styles.css" rel="stylesheet" type="text/css" />     7 </head>     8 <body>     9 <h1>Application-Wide Authenticators</h1>    10 <p>Authenticators are special classes which can, in conjunction with    11 mechanisms in the server environment, judge whether a user of an    12 application    13 is recognised or not. The process of using authenticators is as follows:</p>    14 <ol>    15   <li>Set up authentication in the server environment or framework in    16 which the application is to be deployed.</li>    17   <li>Introduce an authenticator class in the application.</li>    18 </ol>    19 <h2>Setting Up Authentication</h2>    20 <p>The exact details of configuring authentication mechanisms in each    21 server    22 environment may vary substantially. For example, Apache environments    23 require    24 that <code>Auth</code> directives be specified in the Apache    25 configuration    26 files (see <code>docs/ModPython/NOTES.txt</code>); in Zope    27 environments,    28 protected folders can be defined to hold the application when deployed    29 (see    30 <code>docs/Zope/NOTES.txt</code>).</p>    31 <h2>Defining an Authenticator</h2>    32 <p>An authenticator must be defined within your application in order to    33 make    34 decisions about users who have presented their credentials; this    35 authenticator will respond with a decision when prompted by the server    36 or    37 underlying framework, either allowing or denying access for the user    38 whose    39 identity has been presented to the server/framework.</p>    40 <p>The code for an authenticator usually looks like this:</p>    41 <pre>class MyAuthenticator:<br /><br />    "This is an authenticator - something which decides whether a user is known to the application."<br /><br />    def authenticate(self, trans):<br />        user = trans.get_user()<br />        [Make a decision about the validity of the user.]<br />        [Return a true value if the user is allowed to access the application.]<br />        [Return a false value if the user is not recognised or allowed to access the application.]<br /><br />    def get_auth_type(self):<br />        "This method returns 'Basic' in most deployments."<br />        return "Basic"<br /><br />    def get_realm(self):<br />        "This method returns something to distinguish this authentication mechanism from others."<br />        return "MyRealm"</pre>    42 <p>In this mechanism, authenticators rely on authentication information    43 from    44 the server environment and have a "global" effect on access to the    45 application.    46 However, it is always possible to test the user identity later on and    47 to    48 change the way an application behaves accordingly - see <a    49  href="users.html">"Users and Authentication"</a> for more information.</p>    50 <h2>Introducing an Authenticator</h2>    51 <p>Authenticator objects are created in the adapter code - see <a    52  href="writing-adapters.html">"Writing Adapters"</a> for more    53 information.</p>    54 <h2>Anonymous Access</h2>    55 <p>With application-wide authenticators, anonymous access to resources    56 and    57 applications can be difficult to permit alongside access by specific    58 users,    59 mostly because servers and frameworks which employ HTTP authentication    60 schemes do so globally for a given application.</p>    61 <h2>Logout Functions</h2>    62 <p>With application-wide authenticators, a logout function may not be    63 available if the server/framework has been configured to use HTTP    64 authentication schemes, mainly because no logout mechanism generally    65 exists    66 for such schemes.</p>    67 </body>    68 </html>