[Zope3-dev] Is someone going to do a LoginManager-alikefor
Zoipe3?
Phillip J. Eby
pje@telecommunity.com
Thu, 21 Mar 2002 20:40:22 -0500
Wow. Now I *know* I'm out of date. I've never seen type assertions in
interfaces before this message!
This looks pretty well thought out. I have only a few comments.
First "IAuthenticationService" seems to be a pure data object, with no
actual *service*. Shouldn't it just *do* what's laid out in the
"getPrincipals()" function? Otherwise it looks like it's just a
configuration object and shouldn't really exist on its own.
Also, I'm wondering how one distinguishes between output
principals... suppose you have both an Anonymous principal and an
authenticated one? (But here I'm probably showing my Zope 3 ignorance.)
Something which was useful in Zope 2, but may not be relevant here, was the
use of a chaining approach within the lists of user sources (identifiers)
and login methods (extractors). This allowed one to create login methods
which could check for additional credentials before granting a
login. (E.g., fail if the user wasn't using SSL.) I see how one could do
that with this architecture, but combining such rules requires writing a
custom "identifier" rather than simply stacking primitives. Still, I don't
see a way to create such a chain of responsibility here and still support
all of the other features this architecture offers.
How are the subjects of logout and credential changes handled? It's
unclear to me how one could find one's way to the right credential
extractors to tell them that credentials (e.g. a user password) was
changed, or that the user wishes to log out. I think it would be very good
if we could address these items, as they commonly required kludging in Zope
2 without LoginManager. Under LoginManager, one can say
AUTHENTICATED_USER.logout(), for example. What would be the equivalent here?
At 12:36 PM 3/21/02 -0500, Tres Seaver wrote:
>zigg (Matt Behrens) and I had a chat about this today on #zope3-dev.
>What about the following:
>
> class IAuthenticationService( Interface ):
>
> def failAnyCredential():
> " Must all credential extractors approve the request?"
> return Result( type=Boolean )
>
> def failAnyPrincipal():
> " Must all principal identifiers approve the creds?"
> return Result( type=Boolean )
>
> def listExtractors():
> " Return objects which extract credentials from requests. "
> return Result( type=Sequence( ICredentialsExtractor ) )
>
> def listIdentifiers():
> " Return objects which infer principals from credentials."
> return Result( type=Sequence( IPrincipalIdentifier ) )
>
> def listChallengers():
> " Return objects which create authentication challenges."
> return Result( type=Sequence( IAuthenticationChallenger ) )
>
> class ICredentialsExtractor( Interface ):
>
> def extractCredentials( request ):
> " Return zero or more credentials, plus error or None."
> request.assertType( IRequest )
>
> return Result( type=Tuple( Sequence( ICredential ), str ) )
>
> class IPrincipalIdentifier( Interface ):
>
> def identifyPrincipals( credentials ):
> " Return zero or more principals, plus error or None."
> credentials.assertType( Sequence( ICredential ) )
>
> return Result( type=Tuple( Sequence( IPrincipal ), str ) )
>
> class IAuthenticationChallenge( Interface ):
>
> def challengeAuthentication( request, credentials, principals
> , msg ):
> " Create an authentication challenge."
> request.assertType( IRequest )
> credentials.assertType( Sequence( ICredential ) )
> principals.assertType( Sequence( IPrincipal ) )
> msg.assertType( str )
>
> return Result( type=None )
>
>
>The interaction would then look somethink like:
>
> def getPrincipals( REQUEST ):
>
> all_credentials = []
> for extractor in service.listExtractors():
> credentials, error = extractor( REQUEST )
> if error and service.failAnyCredential();
> raise InvalidCredential, error
> all_credentials.extend( credentials )
>
> all_principals = []
> for identifier in service._principal_identifiers:
> principals, error = identifier( all_credentials )
> if error and service.failAnyIdentifier():
> raise InvalidPrincipal, error
> all_principals.extend( principals )
>
> return all_principals
>
>and a different method, wired up to handle authentication
>exceptions, would call the challengers.
>
>Tres.
>--
>===============================================================
>Tres Seaver tseaver@zope.com
>Zope Corporation "Zope Dealers" http://www.zope.com
>
>
>_______________________________________________
>Zope3-dev mailing list
>Zope3-dev@zope.org
>http://lists.zope.org/mailman/listinfo/zope3-dev