[Web-SIG] Communicating authenticated user information

Stephan Richter srichter at cosmos.phy.tufts.edu
Mon Jan 23 02:39:49 CET 2006

On Sunday 22 January 2006 11:34, Phillip J. Eby wrote:
> >Is Zope the only WSGI application that performs authentication
> >itself?
> I think Zope is the only WSGI application that cares about communicating
> this information back to the web server's logs.  :)  Or at least, the only
> one whose author has said so.  :)

Well, I originally worked with Itamar and James on the Twisted integration 
into Zope 3, when we noticed this problem.

> Perhaps an "X-Authenticated-User: foo" header could be added in a future
> spec version?  (And as an optional feature in the current PEP.)  This seems
> a simpler way to incorporate the feature than adding an extension API to
> environ.

 We considered and even implemented originally suggestions you made, but 
considered it a security problem and dismissed it. And a "convention" is not 
really a viable solution either, since it defeats the point of a non-specific 
API, like WSGI.

We thought about the problem quiet a bit and decided that the user is really 
the only thing that the log really has to know from the application. So a 
simple callback that expects a simple string would be just fine.

Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training

More information about the Web-SIG mailing list