Zope3 PAU
I've been working with zope3's PAU a bunch recently, and while I'm still hazy on a few points, a lot of things have crystalized for me that I didn't really "get" before. I originally worked with PluggableAuth from the 3.0 release, so moving to zope.app.authentication and the new PAU model was a little trying. not bad, but I just didn't really get how a lot of the bits worked together until after I'd spent rather a lot of time on it. And some pieces I'm still not clear on.
The first thing that finally "clicked" for me was the understanding of the "how and when" for the different PAU plugins. Each PAU has two primary sets of plugins, authenticator and credentials. Authenticator I understood more immediately, as it is the plugin that actually contains principals. Why you need principals and a principal container isn't really something that you can miss, so I didn't ;).
the credentials plugin though is something I didn't really understand before. Because the login and password are associated with the principal in the authenticator plugin, i didn't know where the credentials plugin really "fit", even though I'd read through the zope.app.authentication README.txt, principalfolder.txt, etc. I saw them in action, but didn't understand where in the overall "process" it fit.
The order of operations for principal login seems to be:
- form/challenge for username and password (or your own set of credentials)
- a credentials plugin extracts the credentials (with extractCredentials) from the request, and returns a dict of {'login' : login, 'password': password}.
- those credentials are then handed to the authenticator plugin, which runs authenticateCredentials(credentials) and returns a PrincipalInfo object based on the credentials passed in.
- the PAU itself then actually finds the associated principal, and returns it.
my current problem is "returns it where?"
principal = pau.authenticate(self.request) (where request has the necessary credentials in it) works, and, if you want, you can run self.request.setPrincipal(principal), which, for the current request, establishes that the authenticted principal should be used.
outside of setting that login information in cookies or a session though, i don't know how to keep a user authenticated by the PAU for the rest of the transaction/browser session.
I'll post more on it when I understand it better.
The first thing that finally "clicked" for me was the understanding of the "how and when" for the different PAU plugins. Each PAU has two primary sets of plugins, authenticator and credentials. Authenticator I understood more immediately, as it is the plugin that actually contains principals. Why you need principals and a principal container isn't really something that you can miss, so I didn't ;).
the credentials plugin though is something I didn't really understand before. Because the login and password are associated with the principal in the authenticator plugin, i didn't know where the credentials plugin really "fit", even though I'd read through the zope.app.authentication README.txt, principalfolder.txt, etc. I saw them in action, but didn't understand where in the overall "process" it fit.
The order of operations for principal login seems to be:
- form/challenge for username and password (or your own set of credentials)
- a credentials plugin extracts the credentials (with extractCredentials) from the request, and returns a dict of {'login' : login, 'password': password}.
- those credentials are then handed to the authenticator plugin, which runs authenticateCredentials(credentials) and returns a PrincipalInfo object based on the credentials passed in.
- the PAU itself then actually finds the associated principal, and returns it.
my current problem is "returns it where?"
principal = pau.authenticate(self.request) (where request has the necessary credentials in it) works, and, if you want, you can run self.request.setPrincipal(principal), which, for the current request, establishes that the authenticted principal should be used.
outside of setting that login information in cookies or a session though, i don't know how to keep a user authenticated by the PAU for the rest of the transaction/browser session.
I'll post more on it when I understand it better.
posted by baldtrol at 1:02 PM
0 Comments:
Post a Comment
<< Home