Gustavo thanks for your reply. I now see that SQLAuthenticatorPlugin doesn't actually set identity ['user'], it's (only) used to obtain the the userid when the user isn't pre-authenticated. Setting identity['user'] is done in repoze.what.plugins.sql.SqlGroupsAdaptor based on the the userid. That means I only need to write an identifier with access to the database to obtain the userid based on either the public or secure tickets and hook it up in middleware.py. I'm impressed by how well factored this system is! It takes some time to get your head around but it's definitely the most flexible auth/authorisation system I have seen.
> How do you authenticate the user on both sites? The user logs in the secure > site, then she's redirected to the "insecure" one for it to set a session > cookie and then redirect her back to the secure site? If so, one solution may > be to have an authenticator in the secure site which redirects the user to the > insecure site if authentication succeeds and then an identifier in the > "insecure" site sets its own cookie and redirects the user back to the secure > site. Authentication is only done on the ssl side of the site, yet identification is done on both sides. Non of the public pages require the user to be authenticated and the identification is only used for things that don't compromise the privacy of the user. Technically identification is implemented as checking if the current connection is secure and matching either the secure of public ticket against the db. When identification fails and the page requires the user the to be authenticated control is transferred to a 'login_handler'. This login_handler intercepts the current request and presents the user with a login form. On postback the handler verifies the username/ password combination, sets the two cookies with random tickets which are also stored in the db, and peforms a redirect to the same page. Login and auth are all happen at the original url. There is no need to redirect between the http and https site to set both cookies. The only difference with a 'normal' cookie based login system is that there are two separate tickets for the secure and public site. As I understand it correctly I only have to write a custom IdentifierPlugin to make this work with TG2, which is great! > Having a single TG2 application serving two different websites (one under http > and the other under https) with a common authentication working on both sites > is not very common, so you'll have to stop TG from configuring auth for you > [1] and then configure it yourself to customize repoze.who as you need through > repoze.what [2] (using setup_auth() so that you can add the special identifier > and authenticators). Thanks for pointing me into the right direction. I was looking for entry-points to hookup the plugin into the TG config, which isn't necessary :) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
