[Web-SIG] Communicating authenticated user information

Clark C. Evans cce at clarkevans.com
Mon Jan 23 20:52:51 CET 2006

On Mon, Jan 23, 2006 at 02:25:35PM -0500, Phillip J. Eby wrote:
| You simply can't use environ values to communicate *up* the WSGI stack, 
| since at no level is it guaranteed you have the "same" 
| dictionary.

The same could be said for response headers, no?  You've got a WSGI
stack of A, B, and C.  Just beacuse "C" sets a header intended for A,
doesn't mean that B has to pass it on. 

| In the case of authentication, it should be sufficient to have a 
| callable or mutable in the environ that can be called or set more than 
| once per request, i.e. it only takes effect once the request is 
| completed.  This allows outer middleware to override what inner 
| middleware or the application set it to.

This is exactly what environ['REMOTE_USER'] is, a mutable value in
the environ that can be set more than once, and only the current 
value matters when create_response hits the request log middleware.

| Response headers and callables (or mutables) in the environ 
| are the only way to send stuff upstream.  You also have to be careful 
| that any upstream communication doesn't bypass something that middleware 
| should be allowed to control.

Of course you have to be careful and work out a protocol that all
intermediate middleware components agree upon.  However, beyond that
I fail to understand the distinctions you're making or why they 
are important.  Perhaps a tangable example would help to educate me?

Thanks so much,


More information about the Web-SIG mailing list