[Zope-dev] Custom Login

Ivan Raikov ivan@faxnet.com
Mon, 24 Sep 2001 13:03:14 -0400 

Hello, 

       Recently, I had to replace ZPublisher's default
authentication scheme, as part of a product I'm working on. I am aware
of the existence of LoginManager, exUserFolder, etc., but in this case
I needed to have a custom login screen at root level, i.e. completely
get rid of the basic HTTP authentication and browser popup window.

    So I replaced some of the HTTPRequest and HTTPResponse methods in
order to present the user an HTML form whenever an 'Unauthorized'
exception is raised.

    While I'm sure such an issue has arisen hundreds of times, somehow
I was unable to find a product or a How-To that specifically addresses
it, which means either I don't know how to browse the Web, or nobody
has bothered to document their knowledge in the area.

    So I went ahead and created a simple Zope product that, upon
installing, makes the necessary changes in HTTPRequest and
HTTPResponse (HotFix style), so that cookie-based, HTML form login
replaces the default one.

    For the curious, the product can be found at
http://www.prism.gatech.edu/~gte085h/zope/CustomLogin/


    In regards to this product, I've been pondering some questions
that I'd like to be answered by knowledgeable people, if 
possible:  

	   1. Is there a product that makes the changes I described,
              and where can I find it?

	   2. Does anyone think it's a good idea to provide some kind
              of a standardized API for replacing ZPublisher's
              authentication?

	   3. If a user attempts to access a resource,  and is denied
              access, my modified HTTPResponse simply redirects to the
              login form, without bothering to record the URL the user
              originally tried to access (which can be a bad or a good
              thing, I suppose). Is there any way for an HTTPResponse
              instance to find out the URL of its HTTPRequest?

	   4. Not entirely related to this topic, but I noticed that
              the ChannelPipe class, used for communication between
              ZServer and ZPublisher, serves only one object instance
              at a time. What would be some practical difficulties in
              changing this class to serve multiple HTTPResponse
              instances? 

    Finally, after noticing the ongoing discussion about the error
HTML contents produced by ZPublisher upon an exception, I'd like to point
out that it's extremely trivial to replace HTTPResponse._error_html
and provide either custom behavior (e.g. sending email to the
administrator), or custom HTML code, whether loaded from a file or
hardcoded. Is anyone interested in me writing a How-To on this topic?
The product I described above, already does that, so it would be
rather easy for me to put together some documentation, provided that
nobody has bothered to write any. Let me know...


       Sincerely,
       Ivan Raikov