= Framework for Authentication and Authorization =

This page describes an [source:branches/experimental/auth-framework experimental branch] that adds a simple generic auth framework to Diva.

The main goals of this framework are:

 * Enable relatively easy switching between HTTP authentication (such as `Basic` or `Digest` authentication performed by the web server) and form-based authentication.
 * Provide convenience functions for checking authorization to perform certain actions.
 * No reliance on a specific backend storage for user profiles and credentials.
 * No restriction to a specific method of controlling access to resources (such as ACLs). Applications can use whatever access control granularity they need.
 * Storage-independent generation and verification of authentication cookies for form-based login.

Possible/peripheral goals:

 * WSGI middleware for using `Basic` and `Digest` authentication, primarily in the context of the DevelopmentServer

Non-goals include:

 * Built-in processes and UI for user registration, activation, password resetting, and other high-level features.

== Application Mixin Approach ==

The current branch defines an `AuthMixIn` class that auth-enabled applications are supposed to subclass. It adds a couple of method stubs to the `Application` class, and contributes a [wiki:RequestFilters request filter] (the details of adding the request filter are rather problematic right now, I'm thinking about various ways for having them order semi-automatically by declaring dependencies).