[Zope-PTK] LoginManager (was Re: Stability rule-of-thumb (fwd))

Mike Pelletier mike@digicool.com
Sun, 6 Feb 2000 14:54:10 -0500 (EST)


On Sun, 6 Feb 2000, Phillip J. Eby wrote:

> Mike has offered to "sneak in" a patch to the DTML for the local roles
> assignment screen that simply uses a text field for the user name instead
> of a select list, being as the current interface sucks to use even for much
> smaller lists than 3000 users.

    Actually, I offered to champion a change.  Just sneaking it in could
be hazardous to my health.  (Read: You blew my cover!  The gig's
up!  ;-) )

> I expect we'll make an initial release this week.  I've already written
> three LoginMethod classes (Basic Auth, REMOTE_USER, and Basic Cookie), and
> if you like the LoginManager system overall, I imagine you might want to
> create a TokenCookie LoginMethod class using code from GUF.  :)

    Layered LoginMethod classes are pretty exciting.  I think that this
will allow one to implement a two-tier authentication scheme as discussed
in this list last month, and seen on Yahoo.  This just occurred to me, so
I'm not sure if it'll work out but I'll outline the idea below.

    For those just tuning in: with this scheme, you cache the user's
identity but not credentials in browser cookies.  This is sufficient for
them to appear 'logged in' and do most portal tasks, but if the user
attempts to do something more sensitive (like create or edit an object, or
view/change their profile data) it pops up a login window to finish
authenticating the user.

    The last-tried LoginMethod would look for just the identity cookie.  
Instead of returning the actual User, it would return something that looks
like the user, but with Anonymous privelages and no sensitive data.  When
the user attempts to do something sensitive,

  That would allow the user to work on the portal with their customization
settings without logging in.  When they try to do something sensitive, a
password propt pops up, and an earlier LoginMethod will begin returning
their actual User object.  

-- 
Mike Pelletier                          email: mike@digicool.com
Mild mannered software developer          icq: 7127228
by day, super villain by night.         phone: 519-884-2434