How to do form-based authentication?

12 views
Skip to first unread message

Felix Schwarz

unread,
Mar 12, 2008, 5:24:29 PM3/12/08
to authori...@googlegroups.com

Is there an example for form-based authentication already? I like to build
something like that into my current app. I guess there are several loose
ends. Are there any plans / rough sketches for me to build upon?

--
Felix Schwarz
Dipl.-Informatiker

Gubener Str. 38
10243 Berlin
Germany

www.schwarz.eu - software development and consulting

Kevin Horn

unread,
Mar 12, 2008, 5:34:45 PM3/12/08
to authori...@googlegroups.com
My plan (such as it is) is for there to be two form-based approaches.  I'm calling them "appform" and "authform".

"appform" - gets a form from your application
"authform" - gets a form from authority (specifically from the AuthMethod component)

authform is basically working at the moment, though the form is very ugly...plan is to add the ability for the user to specify a custom form is they want to.  There's an example of this working with the "match" checker in the development.ini of the test app.

haven't really started on appform...hoping to work on it this weekend (and tonight and tomorrow night) during PyCon/sprints

Kevin Horn

Felix Schwarz

unread,
Mar 12, 2008, 5:42:40 PM3/12/08
to authori...@googlegroups.com

Kevin Horn wrote:
> haven't really started on appform...hoping to work on it this weekend
> (and tonight and tomorrow night) during PyCon/sprints

Oh, forgot to mention that I noticed AppForm already but I'm unsure how to
use it - I want to use appform of course as the overall look-n-feel has to
fit in my application. Anyway, if you need a helping hand, drop me a line
(I guess we are in quite different time zones so IRC isn't that helpful,
but still...).

Kevin Horn

unread,
Mar 12, 2008, 6:12:25 PM3/12/08
to authori...@googlegroups.com
I still haven't solidified in my head exactly how the AppForm method should work.  If you have ideas I'd love to see/hear them.

Kevin Horn

Chris McDonough

unread,
Mar 12, 2008, 7:42:18 PM3/12/08
to authori...@googlegroups.com
The strategy I wound up with for form auth is this:

- There is a form-auth "identification" plugin. It
paints the form on the screen when the backend
returns an unauthorized response on "egress"
(it performs a "challenge").

- On ingress, it sniffs for a query string in
the URL signifying that the request body
is meant to be parsed by *it* (as opposed
to any right-hand-side application). If
the query string exists, it decodes the form
data in the request, and yanks out the user
name and password; that becomes the identification
information.

- It *delegates* the rest of the identification
duties (setting headers in the response, mainly)
to some other named identification
plugin (cookie, session, http_basic, etc).

Reply all
Reply to author
Forward
0 new messages