[Zope-PAS] Passwordless authentication

Zachery Bir zbir at urbanape.com
Mon Aug 30 14:04:49 EDT 2004


On Aug 30, 2004, at 1:00 PM, Lennart Regebro wrote:

> Zachery Bir wrote:
>> Actually, PAS supports it. There are no assumptions made on what 
>> constitutes valid credentials. For something like this, though, 
>> you'll probably want a plugin that does both 
>> IExtractCredentialsPlugin and IAuthenticateCredentialsPlugin (since 
>> they will likely know what to look for from each other).
>
> It works with this little change:
>
>     security.declarePrivate( '_mangleId' )
>     def _mangleId( self, namespace, id ):
> 	if id.find(MANGLE_DELIMITER) != -1:
>             return id
>         return MANGLE_DELIMITER.join( ( namespace, id ) )
>
> So that double mangling is prevented. That way the Authentication 
> plugin can return the correct mangled user_id of the user.

Nope. The Authentication plugin hands back a tuple of unmangled id and 
login (login can be None).

That tuple will be passed to a IUserEnumeration plugin to satisfy 
within itself. First one to respond positively wins, and *that's* the 
point where PAS will mangle the id (the winning plugin's id is the 
namespace in the above method).

> Otherwise, the enumeration and authentication plugins has to be the 
> same, which doesn't work in this case, because then the extraction, 
> authentication and enumeration plugins has to be the same, and then 
> you really have no point in having a plugin-architecture at all, 
> unless the various plugins are independant of each other.

I think I've mis-explained something. ;^) I'll try to work up an 
example that's a little more clear.

Zac



More information about the Zope-PAS mailing list