[Web-SIG] Communicating authenticated user information

Phillip J. Eby pje at telecommunity.com
Wed Jan 25 18:17:29 CET 2006

At 01:53 AM 1/25/2006 -0500, Clark C. Evans wrote:
>Hence, the interfaces between these modules is simply using the
>well-understood CGI variable ``REMOTE_USER``.  They can be used
>independently of each other, and in creative combinations.

If each middleware or application does this:

     remote_user = environ.setdefault('paste.remote_user', [])

And then uses the contents of that list as the thing to check or modify, 
then you will get the exact same result as the "pass the same environ" 
approach, except that it's actually compatible with PEP 333, as opposed to 
relying on implementation accidents.  This doesn't seem especially 
difficult to me.

>The WSGI middleware components that actually create their own environ
>are few and far between.  This is an uncommon edge case.

Composability of applications is a critical requirement for WSGI 
middleware.  It doesn't matter how uncommon it is.  Even if there were 
*zero* implementations of such middleware right now, that principle would 
take precedence, meaning you'd have to have a proposal that would preserve 
composability.  Right now, you haven't described a way to do that without 
introducing temporal coupling (or worse) among subrequests.

More information about the Web-SIG mailing list