| 12 | | @TODO |
|---|
| | 25 | It's a WSGI middleware which is able to authenticate the user through the |
|---|
| | 26 | method you want (e.g., LDAP or HTTP authentication), "remember" the user in |
|---|
| | 27 | future requests and log the user out. |
|---|
| | 28 | |
|---|
| | 29 | You can customize the interaction with the user through four kinds of |
|---|
| | 30 | `plugins`, sorted by the order in which they are run on each request: |
|---|
| | 31 | |
|---|
| | 32 | * An ``identifier plugin``, with no action required on the user's side, is able |
|---|
| | 33 | to tell whether it's possible to authenticate the user (e.g., if it finds |
|---|
| | 34 | HTTP Authentication headers in the HTTP request). If so, it will extract the |
|---|
| | 35 | data required for the authentication (e.g., username and password, or a |
|---|
| | 36 | session cookie). There may be many identifiers and :mod:`repoze.who` will run |
|---|
| | 37 | each of them until one finds the required data to authenticate the user. |
|---|
| | 38 | * If at least one of the identifiers could find data necessary to authenticate |
|---|
| | 39 | the current user, then an ``authenticator plugin`` will try to use the |
|---|
| | 40 | extracted data to authenticate the user. There may be many authenticators |
|---|
| | 41 | and :mod:`repoze.who` will run each of them until one authenticates the user. |
|---|
| | 42 | * When the user tries to access a protected area or the login page, a |
|---|
| | 43 | ``challenger plugin`` will come up to request an action from the user (e.g., |
|---|
| | 44 | enter a user name and password and then submit the form). The user's response |
|---|
| | 45 | will start another request on the application, which should be caught by |
|---|
| | 46 | an `identifier` to extract the login data and then such data will be used |
|---|
| | 47 | by the `authenticator`. |
|---|
| | 48 | * For authenticated users, :mod:`repoze.who` provides the ability to load |
|---|
| | 49 | related data (e.g., real name, email) in the WSGI environment so that it can |
|---|
| | 50 | be easily used in the application. Such a functionality is provided by |
|---|
| | 51 | so-called ``metadata provider plugins``. There may be many metadata providers |
|---|
| | 52 | and :mod:`repoze.who` will run them all. |
|---|
| | 53 | |
|---|
| | 54 | When :mod:`repoze.who` needs to store data about the authenticated user in the |
|---|
| | 55 | WSGI environment, it uses its ``repoze.who.identity`` key, which can be |
|---|
| | 56 | accessed using the code below:: |
|---|
| | 57 | |
|---|
| | 58 | from tg import request |
|---|
| | 59 | |
|---|
| | 60 | # The authenticated user's data kept by repoze.who: |
|---|
| | 61 | identity = request.environ.get('repoze.who.identity') |
|---|
| | 62 | |
|---|
| | 63 | Such a value is a dictionary and is often called "the identity dict". It will |
|---|
| | 64 | only be defined if the current user has been authenticated. |
|---|
| | 65 | |
|---|
| | 66 | The username will be available in ``identity['repoze.who.userid']``. |
|---|
| | 72 | TurboGears itself doesn't deal directly with :mod:`repoze.who`. It's configured |
|---|
| | 73 | through :mod:`repoze.what` because it has to configure :mod:`repoze.who` in a |
|---|
| | 74 | special way so that authorization can work. |
|---|
| | 75 | |
|---|
| | 76 | You don't have to use :mod:`repoze.who` directly, unless you decide not to use |
|---|
| | 77 | it the way TurboGears configures it, except if you need to access data stored |
|---|
| | 78 | in the `identity` dict which was explained above. |
|---|
| | 79 | |
|---|
| | 80 | |
|---|
| | 81 | Advanced topics |
|---|
| | 82 | =============== |
|---|
| | 83 | |
|---|
| | 84 | If you're looking for different authentication methods, you may want to visit |
|---|
| | 85 | `the repoze.who website <http://static.repoze.org/whodocs/>`_ to check if the |
|---|
| | 86 | plugin you're looking for is already available or how to create your own plugins. |
|---|
| | 87 | Then you should also check `the repoze.what manual |
|---|
| | 88 | <http://static.repoze.org/whatdocs/>`_ to learn how to setup the new settings. |
|---|
