1 <?xml version="1.0" encoding="iso-8859-1"?> 2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 4 <html xmlns="http://www.w3.org/1999/xhtml"> 5 <head> 6 <title>Application-Wide Authenticators</title> 7 <meta name="generator" content="amaya 8.1a, see http://www.w3.org/Amaya/" /> 8 <link href="styles.css" rel="stylesheet" type="text/css" /> 9 </head> 10 11 <body> 12 <h1>Application-Wide Authenticators</h1> 13 14 <p>Authenticators are special classes which can, in conjunction with 15 mechanisms in the server environment, judge whether a user of an application 16 is recognised or not. The process of using authenticators is as follows:</p> 17 <ol> 18 <li>Set up authentication in the server environment or framework in which 19 the application is to be deployed.</li> 20 <li>Introduce an authenticator class in the application.</li> 21 </ol> 22 23 <h2>Setting Up Authentication</h2> 24 25 <p>The exact details of configuring authentication mechanisms in each server 26 environment may vary substantially. For example, Apache environments require 27 that <code>Auth</code> directives be specified in the Apache configuration 28 files (see <code>docs/ModPython/NOTES.txt</code>); in Zope environments, 29 protected folders can be defined to hold the application when deployed (see 30 <code>docs/Zope/NOTES.txt</code>).</p> 31 32 <h2>Defining an Authenticator</h2> 33 34 <p>An authenticator must be defined within your application in order to make 35 decisions about users who have presented their credentials; this 36 authenticator will respond with a decision when prompted by the server or 37 underlying framework, either allowing or denying access for the user whose 38 identity has been presented to the server/framework.</p> 39 40 <p>The code for an authenticator usually looks like this:</p> 41 <pre>class MyAuthenticator: 42 43 "This is an authenticator - something which decides whether a user is known to the application." 44 45 def authenticate(self, trans): 46 user = trans.get_user() 47 [Make a decision about the validity of the user.] 48 [Return a true value if the user is allowed to access the application.] 49 [Return a false value if the user is not recognised or allowed to access the application.] 50 51 def get_auth_type(self): 52 "This method returns 'Basic' in most deployments." 53 return "Basic" 54 55 def get_realm(self): 56 "This method returns something to distinguish this authentication mechanism from others." 57 return "MyRealm"</pre> 58 59 <p>In this mechanism, authenticators rely on authentication information from 60 the server/framework and have a "global" effect on access to the application. 61 However, it is always possible to test the user identity later on and to 62 change the way an application behaves accordingly.</p> 63 64 <div class="WebStack"> 65 <h3>WebStack API - User Identity</h3> 66 67 <p>Transaction objects have the following methods for inspecting and 68 redefining the identity of users:</p> 69 <dl> 70 <dt><code>get_user</code></dt> 71 <dd>This gets the name of the user attempting to access the 72 application.</dd> 73 <dt><code>set_user</code></dt> 74 <dd>This sets the name of the user, thus affecting subsequent calls to 75 <code>get_user</code>, allowing certain parts of an application to view 76 users according to other criteria than their basic username - for 77 example, one might use <code>set_user</code> to redefine each user's 78 identity in terms of the role that user may have in an application.</dd> 79 </dl> 80 </div> 81 82 <h2>Introducing an Authenticator</h2> 83 84 <p>Authenticator objects are created in the adapter code - see <a 85 href="writing-adapters.html">"Writing Adapters"</a> for more information.</p> 86 87 <h2>Anonymous Access</h2> 88 89 <p>With application-wide authenticators, anonymous access to resources and 90 applications can be difficult to permit alongside access by specific users, 91 mostly because servers and frameworks which employ HTTP authentication 92 schemes do so globally for a given application.</p> 93 94 <h2>Logout Functions</h2> 95 96 <p>With application-wide authenticators, a logout function may not be 97 available if the server/framework has been configured to use HTTP 98 authentication schemes, mainly because no logout mechanism generally exists 99 for such schemes.</p> 100 </body> 101 </html>