[Web-SIG] Communicating authenticated user information
Phillip J. Eby
pje at telecommunity.com
Mon Jan 23 20:25:35 CET 2006
At 12:42 PM 1/23/2006 -0500, Clark C. Evans wrote:
>In short, I can't think of any generic use-cases for this second
>scenerio (where authentication happens *after* a complete re-write
>of the environ) that would work with a generic request logging;
>and I don't see how a header would help.
>Perhaps I'm missing something?
You simply can't use environ values to communicate *up* the WSGI stack,
since at no level is it guaranteed you have the "same"
dictionary. Response headers and callables (or mutables) in the environ
are the only way to send stuff upstream. You also have to be careful that
any upstream communication doesn't bypass something that middleware should
be allowed to control.
In the case of authentication, it should be sufficient to have a callable
or mutable in the environ that can be called or set more than once per
request, i.e. it only takes effect once the request is completed. This
allows outer middleware to override what inner middleware or the
application set it to.
More information about the Web-SIG