Hi, rank newbie here, so please be gentle if I'm being stupid. I was here last week a bit looking into authentication using the pubcookie SSO. I've gotten a working version that allows me to log into the ZMI and I want to verify a few things, mostly if I'm opening any huge security holes that I'm not familiar enough with the system to see. Also I have a few questions about how the plugins for various PAS functions get selected and how to tell which is working at any given time. Anyway, here's the meat of the process. Pubcookie sets up a situation using an apache module where requests to protected URLs get forwarded to an auth server where username and password are checked, and a cookie is set containing the username. There is an additional apache mod called mod_fba (fake basic authentication) which then takes the information returned by the pubcookie server and packages it as if it were a basic authentication, setting the login to the username returned by pubcookie. I've started messing with this all by using the PASPlugins plugin called apachepas as a base. It seemed a good place to start as the authentication piece is handled by apache. Apachepas defines two plugins, an ExtractionPlugin and an AuthPlugin. The extraction plugin as I've rewritten it contains the following method: def extractCredentials(self,request): """ extract credentials """ user_id = request.getHeader('REMOTE_USER', None) if not user_id: return None return {'user_id': user_id} The AuthPlugin as I've rewritten it contains the following method: def authenticateCredentials(self, credentials): """See IAuthenticationPlugin. """ user_id = credentials.get('login', None) if user_id is None: return None return user_id, user_id Now, here's my first question. Astute observers may notice that the name for the login name in the credentials used by authenticateCredentials is different than the name set for the login in extractCredentials. This is because when I peeked at the credentials passed in to authenticateCredentials, it appears to be using a different set of credentials than I set. I'm thinking I must be missing a step in there somewhere, but I don't know what it is. Is there some method being called somewhere that takes the {'user_id': user_id} tuple returned by extractCredentials and repackages it into a credentials tuple that looks like this: {'extractor': 'credentials_basic_auth', 'login': 'myname', 'password': 'password', remote_host': '', 'remote_address': 'some.address.com'}? Or, is it that my extractCredentials plugin is not being used, despite being the first listed on the 'active' list for extraction plugins? Second question: if it is possible that the credentials returned might look different depending on which extraction plugin is used, is there a good way for me to code the authenticateCredentials plugin so that it can get the right element as user_id and return it? Where do the stock plugins for PAS live on disk? I'd love to look them over. Third question: How do plugins get selected for PAS tasks like extraction? Is there a way to force the selection of my tool? or would that break everything? Thanks for helping a newbie here. I'm getting up to speed slowly. Cris ******************************** Cris Ewing CME and Telehealth Web Services Department of Radiology Web Services University of Washington School of Medicine Work Phone: (206) 685-9116 Home Phone: (206) 365-3413 E-mail: cewing@u.washington.edu *******************************