[Web-SIG] Communicating authenticated user information
Jim Fulton
jim at zope.com
Sun Jan 22 18:13:50 CET 2006
Phillip J. Eby wrote:
> At 11:22 AM 1/22/2006 -0500, Jim Fulton wrote:
>
>> Typically, web servers provide access logs that include a label
>> for the authenticated user.
>>
>> Often, WSGI applications (or middleware) provide their own user
>> authentication facilities. Well, Zope does. :)
>>
>> There doesn't seem to be a standard way for WSGI applications or
>> middleware to communicate the information necessary for a server
>> to log the authenticated user back to the server.
>>
>> Am I missing something? How do other people handle this?
>>
>> Is Zope the only WSGI application that performs authentication
>> itself?
>
>
> I think Zope is the only WSGI application that cares about communicating
> this information back to the web server's logs. :)
I hope that's not true. Certainly, if anyone else is doing authentication
in their applications or middleware, they *should* care about getting
information into the access logs.
> Or at least, the
> only one whose author has said so. :)
Please, someone else speak up. :)
> Perhaps an "X-Authenticated-User: foo" header could be added in a future
> spec version? (And as an optional feature in the current PEP.)
Perhaps. Note that it should be clear that this is soley for use
in the access log. There should be no assumption that this is
a principal id or a login name. It is really just a label for the
log. To make this clearer, I'd use something like:
"X-Access-User-Label: foo".
> This
> seems a simpler way to incorporate the feature than adding an extension
> API to environ.
Why is that? Isn't the env meant for communication between the WSGI
layers? I'm not sure I'd want to send this information back to the browser.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Web-SIG
mailing list