1 Authentication in WebStack
2 --------------------------
3
4 There are two principal methods of introducing authentication and applying
5 access control to WebStack applications:
6
7 * Use of authenticators, where the "remote user" is set in the
8 server/framework environment and tested in the application.
9
10 * Use of the LoginRedirect and Login resources.
11
12 Application-wide Authenticators
13 -------------------------------
14
15 First, set up the usage of such authentication mechanisms in the
16 server/framework environment. For example, introduce Auth directives in your
17 Apache configuration (see docs/ModPython/NOTES.txt).
18
19 Then, define an authenticator when deploying your application; this
20 authenticator will respond with a decision when prompted by the server or
21 underlying framework, either allowing or denying access for the user whose
22 identity has been presented to the server/framework.
23
24 In this mechanism, authenticators rely on authentication information from the
25 server/framework and have a "global" effect on access to the application.
26
27 LoginRedirect and Login Resources
28 ---------------------------------
29
30 The LoginRedirect and Login resources provide a single sign-on environment for
31 WebStack applications. Unlike the authenticator-only approach, each application
32 or part of an application utilising this mechanism must be wrapped inside a
33 LoginRedirect resource which determines whether a given transaction contains
34 information identifying the application's user.
35
36 Should sufficient information be present in the transaction, the user is allowed
37 to access the application and is identified in the normal way (ie. the
38 Transaction object's get_user method). Otherwise, a redirect occurs to the Login
39 resource which then presents a login form to be completed by the user.
40
41 The Login resource verifies the identity of the user, testing the supplied
42 credentials against the credentials database specified in the deployment of the
43 resource. Upon successful authentication, the user is redirected back to the
44 application, which should let the user gain access.
45
46 Some server/framework environments do not permit automatic redirection back to
47 the application, notably Apache/mod_python. In such cases, a success screen is
48 presented to the user with a link to the application they were attempting to
49 access.
50
51 In this mechanism, authenticators are employed, but only in the Login resource
52 in order to verify the credentials of users. The LoginRedirector is the actual
53 component that determines access to the application by testing whether the
54 supplied authentication information is valid and redirecting them to the Login
55 resource if this is not the case.