[Web-SIG] Communicating authenticated user information

Jim Fulton jim at zope.com
Sun Jan 22 22:31:01 CET 2006

Ian Bicking wrote:
> Jim Fulton wrote:
>> Typically, web servers provide access logs that include a label
>> for the authenticated user.
>> Often, WSGI applications (or middleware) provide their own user
>> authentication facilities.  Well, Zope does. :)
>> There doesn't seem to be a standard way for WSGI applications or
>> middleware to communicate the information necessary for a server
>> to log the authenticated user back to the server.
>> Am I missing something?  How do other people handle this?
>> Is Zope the only WSGI application that performs authentication
>> itself?
> I do the authentication in my apps,


 > but I am sloppy and do not record it
> ;)  Well, that's not completely true.  In the rough access logger in 
> Paste (http://pythonpaste.org/paste/translogger.py.html?f=8&l=80#8) I 
> include environ['REMOTE_USER'] if it is present.   So if the WSGI environ
> that the middleware sees initially is the same environ that the 
> authenticator writes too, then the middleware will see that change on 
> the way out and include it.  Using a header would solve the problem 
> where the environment is completely changed (unlikely), or copied before 
> REMOTE_USER is assigned (fairly likely).
> I can imagine a convention of X-WSGI-Authenticated, where X-WSGI-* gets 
> stripped by the server,

Works for me.

 > and any middleware that is interested can watch
> for these headers.  Another option is a callback, but potentially 
> multiple middleware's will be interested (multiple logs isn't hard to 
> imagine), and that complicates the callback.

I think just scribbling a value into the env or headers is fine.


Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Web-SIG mailing list