Re: [Web-SIG] Communicating authenticated user information
On Sunday 22 January 2006 11:34, Phillip J. Eby wrote: > >Is Zope the only WSGI application that performs authentication > >itself? > > I think Zope is the only WSGI application that cares about communicating > this information back to the web server's logs. :) Or at least, the only > one whose author has said so. :) Well, I originally worked with Itamar and James on the Twisted integration into Zope 3, when we noticed this problem. > Perhaps an "X-Authenticated-User: foo" header could be added in a future > spec version? (And as an optional feature in the current PEP.) This seems > a simpler way to incorporate the feature than adding an extension API to > environ. We considered and even implemented originally suggestions you made, but considered it a security problem and dismissed it. And a "convention" is not really a viable solution either, since it defeats the point of a non-specific API, like WSGI. We thought about the problem quiet a bit and decided that the user is really the only thing that the log really has to know from the application. So a simple callback that expects a simple string would be just fine. Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] Communicating authenticated user information
On Monday 23 January 2006 14:25, Phillip J. Eby wrote: > In the case of authentication, it should be sufficient to have a callable > or mutable in the environ that can be called or set more than once per > request, i.e. it only takes effect once the request is completed. This > allows outer middleware to override what inner middleware or the > application set it to. +1. If we would have this in the specs, I would be totally happy. Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] Communicating authenticated user information
On Monday 23 January 2006 15:12, Clark C. Evans wrote: > Regardless of my opinion on the matter, what *is* being > proposed for this particular problem; and more generally > for these sorts of situations? I think the following is being proposed (and also my favorite solution): Specify a new environment variable called 'wsgi.user' (or something similar) that is a mutable and can be written several times. Only the last write (before the output is sent) is important. By default the variable is set to ``None`` for not set. Of course I am not good at writing specs, but something like that it should say. Of course, one could argue that you possibly want to send other information for logging to the server, but I would call this YAGNI. Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] Communicating authenticated user information
On Monday 23 January 2006 16:15, Phillip J. Eby wrote: > I'd suggest a callable under 'wsgi.log_username', that takes one argument. Sounds good to me. > It should be specified whether it requires ASCII or Unicode. I don't care; I think ASCII is fine; we can have the application handle the encoding. Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] Communicating authenticated user information
On Monday 23 January 2006 22:15, Clark C. Evans wrote: > On Mon, Jan 23, 2006 at 04:15:06PM -0500, Phillip J. Eby wrote: > | At 03:36 PM 1/23/2006 -0500, Stephan Richter wrote: > | > Specify a new environment variable called 'wsgi.user' (or something > | > similar) that is a mutable and can be written several times. Only > | > the last write (before the output is sent) is important. By default > | > the variable is set to ``None`` for not set. > > Why not ``wsgi.context`` or something like that which defaults to > an empty dictionary. Then you can put what ever you want in it; > ``wsgi.user`` just seems to be a bit too specific. But if you use a dictionary you need to specify all allowed keys. The server needs to know from the standard (WSGI) what it is looking for. The twisted guys and us have thought about other possible data for logging and we could not come up with any. If you have real use cases for other data, please let me know. > | I'd suggest a callable under 'wsgi.log_username', that takes one > | argument. > > I think this is way too specific; it doesn't address the general > problem: how do you pass information back up the middleware stack. You cannot address this issue generally. The point of WSGI is that it is a well-defined API that specifies exactly what to expect. Let's take your suggestion. Let's say there is a dictionary that can contain anything. Zope 3 (acting as the application) decides to put a key named "user" into the dictionary. But Twisted (acting as the server) looks for "remote-user". Since the key is not specified in the specification, we have gained absolutely nothing. > | It should be specified whether it requires ASCII or Unicode. > > Why cannot it just accept a Python string? You can always check > if it is Unicode or not. Because encoding might be arbitrary. It has to be clearly specified in the specs what to expect. Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] WSGI in standard library
On Saturday 04 February 2006 21:35, Peter Hunt wrote: > I think CherryPy's WSGI server should go in: it's stable, and the > best-performing WSGI HTTP server out there. Are you sure? Is it really scalable? Can you prove it? Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] Bowing out (was Re: A trivial template API counter-proposal)
On Tuesday 07 February 2006 10:20, Phillip J. Eby wrote: > >Despite some skepticism about the templating > >effort, I certainly planned to evaluate it when it settled down. > > I'm not complaining about you personally tuning out; it's just that I ended > up being a sole advocate for stuff I thought Zope would need in order to > utilize the template standard as a basis for views, without being certain > of the details or whether you (i.e. zope.com and .org) actually cared (due > to you having disappeared after your initial comment). (This of course > also goes for other view-based and "active page" frameworks that have > similar issues, but whose architects weren't around to comment in the first > place.) I phased out as well and decided to comment on a draft. The amount of E-mails just overwhelmed me. But I agree as well, that the egg work is more important. :-) BTW, did we reach a conclusion on the user logging issue. We really, really need to solve that somehow. Anything you can come up with is fine by me; I'll trust you do the right thing. Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] Logging the authenticated user (was Re: Bowing out)
On Tuesday 07 February 2006 12:28, Phillip J. Eby wrote: > * Add an optional 'wsgi.response_filtering' key to the spec. If its value > is present and true, the server promises to prevent 'X-Internal-*' headers > from being transmitted. > > * Add an optional 'X-Internal-WSGI-Authenticated-User' header to the spec, > that indicates the authenticated user name. This should only be inserted > into the response headers if 'wsgi.response_filtering' is in effect. > > * Require that any user-defined X-Internal headers include a product name, > e.g. 'X-Internal-Zope-Foo', to avoid conflict with WSGI-defined or other > products' user-defined headers. > > This would all be placed under a new section entitled "Internal Response > Headers" and defined as an optional extension. > > Any thoughts? This sounds really good! Thanks for the great summary and suggestions. As far as I can tell it solves all of our use cases and addresses our security concerns; i.e. not sending the username to the client. Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] Removal of Cookie in Python 3.0 OK?
On Monday 04 February 2008, Jim Fulton wrote: > Breeds are constantly evolving. I don't think it's realistic for the > standard library to try to keep up. I also don't think it's a very > good idea for language maintainers to make judgements about what's > best in various application areas. > > I have the impression that there's this fairly large effort for people > to redo lots of the standard library for Python 3, without necessarily > knowing a lot about the libraries' histories, and motivation. I;m > skeptical that this is going to lead to a high-quality product. > > I'd much rather see language developers put some focus on making a low- > level feature like a packaging system work as well as possible. Amen to that. :-) Regards, Stephan -- Stephan Richter Web Software Design, Development and Training Google me. "Zope Stephan Richter" ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] WSGI for Python 3
On Friday, July 16, 2010, Ian Bicking wrote: > We could make everything bytes and be done with it, but it would make it > much harder to port Python 2 WSGI code to Python 3. I think this might be best having seen all of the discussion. One could easily write a compatibility middleware that makes porting Python 2 applications easy or even completely transparent (from a WSGI spec point of view). Regards, Stephan -- Entrepreneur and Software Geek Google me. "Zope Stephan Richter" ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
