[Zope-CMF] CMF Authentication process

[Shane Hathaway]

Kevin Carlson wrote:
> Where does user authentication actually happen within CMF?  It looks as if
> after the user completes the login_form and posts to logged_in that the user
> is somehow magically authenticated.  I can find no calls to the
> User.authenticate method anywhere...
> 
> The logged_in form calls "portal_skins.updateSkinCookie()" and
> "setupCurrentSkin" in the first few lines of its code, and reading the
> source for these functions I cannot find a place where it is doing the
> authentication of the user.  It appears that there is a call to
> getAuthenticatedUser before there was ever a chance to authenticate!  I know
> I'm wrong about this because the CMF is doing user authentication -- I just
> can't figure out where it's happening.
> 
> Can anyone explain or point me to some doc on this?

On traversal through the folder that contains the cookie_authentication 
object, a hook calls the cookie_authentication object, which sees the 
request contains the form variables "__ac_name" and "__ac_password" (or 
whatever names you specify).  It encodes those variables to produce the 
"__ac" cookie, at the same time changing the request in such a way that 
user folders will think basic authentication was used.  So then the 
normal Zope authentication process happens.  When the response is 
generated, it asks the browser to set "__ac", which the 
cookie_authentication object detects on subsequent requests.

Make sense?

Shane