[Zope-CMF] CMF Authentication process
Shane Hathaway
shane@zope.com
Thu, 16 May 2002 10:16:28 -0400
Kevin Carlson wrote:
> Where does user authentication actually happen within CMF? It looks as if
> after the user completes the login_form and posts to logged_in that the user
> is somehow magically authenticated. I can find no calls to the
> User.authenticate method anywhere...
>
> The logged_in form calls "portal_skins.updateSkinCookie()" and
> "setupCurrentSkin" in the first few lines of its code, and reading the
> source for these functions I cannot find a place where it is doing the
> authentication of the user. It appears that there is a call to
> getAuthenticatedUser before there was ever a chance to authenticate! I know
> I'm wrong about this because the CMF is doing user authentication -- I just
> can't figure out where it's happening.
>
> Can anyone explain or point me to some doc on this?
On traversal through the folder that contains the cookie_authentication
object, a hook calls the cookie_authentication object, which sees the
request contains the form variables "__ac_name" and "__ac_password" (or
whatever names you specify). It encodes those variables to produce the
"__ac" cookie, at the same time changing the request in such a way that
user folders will think basic authentication was used. So then the
normal Zope authentication process happens. When the response is
generated, it asks the browser to set "__ac", which the
cookie_authentication object detects on subsequent requests.
Make sense?
Shane