[Web-SIG] Communicating authenticated user information

Phillip J. Eby pje at telecommunity.com
Mon Jan 23 20:25:35 CET 2006

At 12:42 PM 1/23/2006 -0500, Clark C. Evans wrote:
>In short, I can't think of any generic use-cases for this second
>scenerio (where authentication happens *after* a complete re-write
>of the environ) that would work with a generic request logging;
>and I don't see how a header would help.
>Perhaps I'm missing something?

You simply can't use environ values to communicate *up* the WSGI stack, 
since at no level is it guaranteed you have the "same" 
dictionary.  Response headers and callables (or mutables) in the environ 
are the only way to send stuff upstream.  You also have to be careful that 
any upstream communication doesn't bypass something that middleware should 
be allowed to control.

In the case of authentication, it should be sufficient to have a callable 
or mutable in the environ that can be called or set more than once per 
request, i.e. it only takes effect once the request is completed.  This 
allows outer middleware to override what inner middleware or the 
application set it to.

More information about the Web-SIG mailing list