Hello,
Jd said:
> Thanks to everyone for their replies..
>
> Diez, Gustavo,
>
> * We have
> * a URL based login method (which sets up the cookies)
> * and we attache the cookies to the xml-rpc handle.
> This is similar to option to suggested by Diez. The problem with this
> is that we need to implement login in each language for this to work.
> (among feeling it to be a hack)
Basic/digest authentication is a widely used authentication method and also
very common in XML-RPC, so it might be an option.
repoze.who has a built-in plugin for that and it'd be quite easy to configure
it so that it only comes into play in XML-RPC requests.
> I was/am still hoping.. :)
> a. XML-RPC controller to "parse" the user id..etc.
> b. We calling some repos.who) to create/populate session.
> (for us @ decorators are not very high priority.. I will have to
> double check though)
I'd recommend leaving that to repoze.who for 4 reasons:
1.- Any 3rd party package that depends on authentication will work
automatically, like repoze.what.
2.- Authentication happens early on, not later in the controller.
3.- The user's metadata would be available as usual.
4.- You can focus on the features that add value to your Web site, without
worrying about or maintaining authentication code. If you want a functionality
not offered by existing repoze.who plugin, you'd just need to implement that
functionality instead of the whole authn system.
In other words, you'd keep the ability to use TG the "standard" way without
affecting other places that need not be affected, and given repoze.who's
pluggability, it'd be easy to change this setup in the future slightly or
completely without changing anything in your controllers.
I think repoze.who is good enough for this and it won't influence your
decision on how to handle authentication. If you tell us what you'd like to do
exactly, I'll tell you what's available already and if you'd need to write
some code.
I'd personally recommend using basic authentication because there's no code to
write and it's widely used, so you won't have to implement clients for
different languages.
> From the discussion.. I still have some questions..
> a. how does repos.who auth extensions/plugin suggested by Gustavo
> go ? i.e how does it tie in to TG2)
You'd put this information in {yourapp}.config.app_cfg:
http://www.turbogears.org/2.1/docs/main/Auth/Customization.html
That's the standard way to do it in TG2, but you can put that somewhere else
if you need to (e.g., ini files or a separate Python file).
> b. Would returning credentials suggested last would ....session etc.
> correctly ?
Sorry, I don't understand what you mean by that.
If you're talking about the session as in the Beaker library, AFAIK, it
doesn't look at the REMOTE_USER variable so it's completely independent from
repoze.who or any authn library.
HTH.
--
Gustavo Narea <xri://=Gustavo>.
| Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about |
--
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en.
