[Grok-dev] LoginDemo and PlainLoginDemo and BabyLoginDemo

Wed Jan 16 04:32:52 EST 2008

Luciano, thanks for attempting to tackle the demonstration of  
authentication in Grok!

This is something that is still very hard to understand, especially if  
you are still new to a lot of Zope 3 concepts. The PAU implementation  
in Zope 3 was one of the first things that I learned in Zope 3 and it  
was fairly brain-hurtingly perplexing as an introduction to Zope 3  
authentication. As others have suggested, having something like a  
megrok.defaultauth that configures a sensible PAU would be a practical  
package for making it easier to add authentication to a Grok app, but  
I don't think it would make a very good demo application, as  
understanding how it works would require digging into the PAU  
interfaces and implementation.

I've started working on another version of your LoginDemo called  
BabyLoginDemo tonight:

http://svn.zope.org/Sandbox/kteague/BabyLoginDemo/

The key to making an easy to learn authentication app I believe is  
that when you registar a local utility that provides IAuthentication,  
you only need to implement the IAuthentication interface. Also while  
you get a significant amount of complexity from PAU, since your login  
app does things like provide a count and sorted list of members based  
on specific configuration details for a PAU, this code wouldn't allow  
you to get any of the benefits of this complexity. i.e. when you do:

     def members(self):
         pau = getUtility(IAuthentication)
         principals = pau['principals']

You are relying on implementation details that are not part of the  
IAuthentication interface that you are asking for. If you added a LDAP  
authentication plug-in later on with something like:

     pau['ldap_principals'] =  
ldappas.authentication.LDAPAuthentication()
     pau['principals'] = PrincipalFolder()
     pau.authenticatorPlugins = ('principals','ldap_principals',)

Then code such as this would not work:

      def members(self):
         pau = getUtility(IAuthentication)
         principals = pau['principals']
         roster = []
         for id in sorted(principals.keys()):

Since you wouldn't be displaying any of the LDAP authenticated  
principals (which might be a good thing if your LDAP directory was  
very large ...)

In BabyLoginDemo I created a MemberAuthentication class that wraps up  
a cookie credential implementation and a reliance on a app['members']  
container to provide Member objects that also implement the required  
IPrincipal interface. Although you can join and login to BabyLoginDemo  
right now it's not finished you can't logout and member listing  
doesn't work yet ...

Another package that might be interesting to create would be a PAU  
authenticator plugin that allowed you to configure it to treat any  
arbitrary grok.Container as an authentication source.