[Web-SIG] Communicating authenticated user information

Jim Fulton jim at zope.com
Sun Jan 22 18:13:50 CET 2006

Phillip J. Eby wrote:
> At 11:22 AM 1/22/2006 -0500, Jim Fulton wrote:
>> Typically, web servers provide access logs that include a label
>> for the authenticated user.
>> Often, WSGI applications (or middleware) provide their own user
>> authentication facilities.  Well, Zope does. :)
>> There doesn't seem to be a standard way for WSGI applications or
>> middleware to communicate the information necessary for a server
>> to log the authenticated user back to the server.
>> Am I missing something?  How do other people handle this?
>> Is Zope the only WSGI application that performs authentication
>> itself?
> I think Zope is the only WSGI application that cares about communicating 
> this information back to the web server's logs.  :)

I hope that's not true.  Certainly, if anyone else is doing authentication
in their applications or middleware, they *should* care about getting
information into the access logs.

 > Or at least, the
> only one whose author has said so.  :)

Please, someone else speak up. :)

> Perhaps an "X-Authenticated-User: foo" header could be added in a future 
> spec version?  (And as an optional feature in the current PEP.) 

Perhaps. Note that it should be clear that this is soley for use
in the access log.  There should be no assumption that this is
a principal id or a login name.  It is really just a label for the
log.  To make this clearer, I'd use something like:
"X-Access-User-Label: foo".

 > This
> seems a simpler way to incorporate the feature than adding an extension 
> API to environ.

Why is that?  Isn't the env meant for communication between the WSGI
layers?  I'm not sure I'd want to send this information back to the browser.


Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Web-SIG mailing list