[Web-SIG] Communicating authenticated user information
Clark C. Evans
cce at clarkevans.com
Mon Jan 23 20:52:51 CET 2006
On Mon, Jan 23, 2006 at 02:25:35PM -0500, Phillip J. Eby wrote:
| You simply can't use environ values to communicate *up* the WSGI stack,
| since at no level is it guaranteed you have the "same"
The same could be said for response headers, no? You've got a WSGI
stack of A, B, and C. Just beacuse "C" sets a header intended for A,
doesn't mean that B has to pass it on.
| In the case of authentication, it should be sufficient to have a
| callable or mutable in the environ that can be called or set more than
| once per request, i.e. it only takes effect once the request is
| completed. This allows outer middleware to override what inner
| middleware or the application set it to.
This is exactly what environ['REMOTE_USER'] is, a mutable value in
the environ that can be set more than once, and only the current
value matters when create_response hits the request log middleware.
| Response headers and callables (or mutables) in the environ
| are the only way to send stuff upstream. You also have to be careful
| that any upstream communication doesn't bypass something that middleware
| should be allowed to control.
Of course you have to be careful and work out a protocol that all
intermediate middleware components agree upon. However, beyond that
I fail to understand the distinctions you're making or why they
are important. Perhaps a tangable example would help to educate me?
Thanks so much,
More information about the Web-SIG