Version 2 (modified by cmlenz, 16 years ago) (diff) |
---|
Framework for Authentication and Authorization
This page describes an experimental branch that adds a simple generic auth framework to Diva.
The main goals of this framework are:
- Enable relatively easy switching between HTTP authentication (such as Basic or Digest authentication performed by the web server) and form-based authentication.
- Provide convenience functions for checking authorization to perform certain actions.
- No reliance on a specific backend storage for user profiles and credentials.
- No restriction to a specific method of controlling access to resources (such as ACLs). Applications can use whatever access control granularity they need.
- Storage-independent generation and verification of authentication cookies for form-based login.
Possible/peripheral goals:
- WSGI middleware for using Basic and Digest authentication, primarily in the context of the DevelopmentServer
Non-goals include:
- Built-in processes and UI for user registration, activation, password resetting, and other high-level features.
Application Mixin Approach
The current branch defines an AuthMixIn class that auth-enabled applications are supposed to subclass. It adds a couple of method stubs to the Application class, and contributes a request filter (the details of adding the request filter are rather problematic right now, I'm thinking about various ways for having them order semi-automatically by declaring dependencies).