Joost, I think this is a common enough situation that it would be awesome if we had a standardish recipie for this in the TG2 docs.
If you write up an e-mail or a page in the docs wiki descirbing what you do, I'd be more than happy to try to get it moved up into the "official" docs. --Mark Ramm On Thu, Nov 27, 2008 at 5:40 AM, Joost <[EMAIL PROTECTED]> wrote: > > Gustavo thanks for your reply. > > I now see that SQLAuthenticatorPlugin doesn't actually set identity > ['user'], it's (only) used to obtain the the userid when the user > isn't pre-authenticated. Setting identity['user'] is done in > repoze.what.plugins.sql.SqlGroupsAdaptor based on the the userid. That > means I only need to write an identifier with access to the database > to obtain the userid based on either the public or secure tickets and > hook it up in middleware.py. I'm impressed by how well factored this > system is! It takes some time to get your head around but it's > definitely the most flexible auth/authorisation system I have seen. > >> How do you authenticate the user on both sites? The user logs in the secure >> site, then she's redirected to the "insecure" one for it to set a session >> cookie and then redirect her back to the secure site? If so, one solution may >> be to have an authenticator in the secure site which redirects the user to >> the >> insecure site if authentication succeeds and then an identifier in the >> "insecure" site sets its own cookie and redirects the user back to the secure >> site. > > Authentication is only done on the ssl side of the site, yet > identification is done on both sides. Non of the public pages require > the user to be authenticated and the identification is only used for > things that don't compromise the privacy of the user. Technically > identification is implemented as checking if the current connection is > secure and matching either the secure of public ticket against the > db. > > When identification fails and the page requires the user the to be > authenticated control is transferred to a 'login_handler'. This > login_handler intercepts the current request and presents the user > with a login form. On postback the handler verifies the username/ > password combination, sets the two cookies with random tickets which > are also stored in the db, and peforms a redirect to the same page. > Login and auth are all happen at the original url. There is no need to > redirect between the http and https site to set both cookies. > > The only difference with a 'normal' cookie based login system is that > there are two separate tickets for the secure and public site. As I > understand it correctly I only have to write a custom IdentifierPlugin > to make this work with TG2, which is great! > >> Having a single TG2 application serving two different websites (one under >> http >> and the other under https) with a common authentication working on both sites >> is not very common, so you'll have to stop TG from configuring auth for you >> [1] and then configure it yourself to customize repoze.who as you need >> through >> repoze.what [2] (using setup_auth() so that you can add the special >> identifier >> and authenticators). > > Thanks for pointing me into the right direction. I was looking for > entry-points to hookup the plugin into the TG config, which isn't > necessary :) > > > > -- Mark Ramm-Christensen email: mark at compoundthinking dot com blog: www.compoundthinking.com/blog --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
