[BlueBream] Authentiocation of 2 principals

[Jeff Rush]

On 09/19/2011 05:24 AM, Taras wrote:
> Hi, community.
> For some time now I worked on a API for my site and did not find one
> good feature, that would really help me. 
> I want to authenticate *Users* and *Applications*, that use my API.
> Those are 2 different principals and have different permissions and even
> authentication utilities. 
> The problem is that I did not found a way to do this in the current
> /policy/. Did I/look bad /and there is such a feature? I simply want to
> know before rewriting a good piece of code to create it.

How do you distinguish between the two kind of principals at the web
layer?  Do they visit different URLs?  Do they supply recognizably
different data in the HTTP request header?

If different URL trees, you can use two 'local site manager' objects,
each with their own registered authentication objects.  The one found
first when ascending the URL hierarchy will be used.

You can also easily supply your own AuthenticatedPrincipalFactory, that
peeks into the PrincipalInfo and creates either a principal of kind A or
kind B, depending upon the authenticated principal and URL visited.
Each kind of principal can be given a different permission set, perhaps
even using the 'group' kind of principal, defined in zope.pluggableauth.

If you cannot separate the URL trees for your two kinds of principals,
then just subclass the topmost authentication component in
zope.pluggableauth, add it to overrides.zcml, and have it use collection
A (a pluggableauth folder) or collection B of your authentication
utilities, based on something you can identify in your request object.

-Jeff