Overview
``repoze.who`` is an identification and authentication framework
for arbitrary WSGI applications. It acts as WSGI middleware.
``repoze.who`` is inspired by Zope 2's Pluggable Authentication
Service (PAS) (but ``repoze.who`` is not dependent on Zope in any
way; it is useful for any WSGI application). It provides no
facility for authorization (ensuring whether a user can or cannot
perform the operation implied by the request). This is considered
to be the domain of the WSGI application.
It attemtps to reuse implementations from ``paste.auth`` for some
of its functionality.
This page shows how to use repoze.who with your Pylons project.
Another tutorial on repoze.who with Pylons is at http://truefalsemaybe.com/2008/06/authorization-in-pylons-with-repozewho-part-1-htaccess/
Getting `repoze.who`
`repoze.who`, as most python packages, can be installed via easy_install. To do that, run the following command:
easy_install -i http://dist.repoze.org/who/latest/simple repoze.who
The official release notes can be found on the Repoze Blog.
Adding `repoze.who` to your Pylons project
 | Useful Information
From here on forth, when referring to files, the following constants shall be used:
- PRJ - the name of your project.
- ROOT - the root directory of your project (has development.ini, test.ini, etc).
|
Open up ROOT/development.ini and append the following lines to the [app:main] section:
who.config_file = %(here)s/who.ini
who.log_level = debug
who.log_file = stdout
Now, open ROOT/PRJ/config/middleware.py.
Add the following line to the top of the file:
from repoze.who.config import make_middleware_with_config as make_who_with_config
After the comment "CUSTOM MIDDLEWARE HERE" add the following line:
app = make_who_with_config(app, global_conf, app_conf['who.config_file'], app_conf['who.log_file'], app_conf['who.log_level'])
That's it. You now have `repoze.who` integrated to your project.
Setting up `repoze.who`
Create the file ROOT/who.ini.
This file will host your `repoze.who` configuration. You can see the example configuration provided in the `repoze.who` release notes.
As an additional example the following can be used:
[plugin:form]
use = repoze.who.plugins.form:make_redirecting_plugin
login_form_url = /account/login
login_handler_path = /account/dologin
logout_handler_path = /account/logout
rememberer_name = auth_tkt
[plugin:auth_tkt]
use = repoze.who.plugins.auth_tkt:make_plugin
secret = [INSERT SECRET HERE]
[general]
request_classifier = repoze.who.classifiers:default_request_classifier
challenge_decider = repoze.who.classifiers:default_challenge_decider
[identifiers]
plugins =
form;browser
auth_tkt
[authenticators]
plugins =
PRJ.lib.auth.repoze:UserModelPlugin
[challengers]
plugins =
form;browser
[mdproviders]
plugins =
PRJ.lib.auth.repoze:UserModelPlugin
The example above uses a custom form for logging in, so the redirecting form plugin was used.
It also uses a custom class that checks if the given user data is correct from the database.
Example of a custom `repoze.who` plugin
The previous configuration used a UserModelPlugin to verify the users against a database and retrieve information about the user from the database.
from paste.httpexceptions import HTTPFound
from PRJ.model.user import User
class UserModelPlugin(object):
def authenticate(self, environ, identity):
try:
username = identity['login']
password = identity['password']
except KeyError:
return None
success = User.authenticate(username, password)
return success
def add_metadata(self, environ, identity):
username = identity.get('repoze.who.userid')
user = User.get(username)
if user is not None:
identity['user'] = user
Using `repoze.who` in your code (by example)
...
# Get the `repoze.who` identity object. (Only available if a user is logged in.)
identity = environ.get('repoze.who.identity')
if identity is not None:
# Get some data associated with the user. (Eg. the user object that was assigned in UserModelPlugin.)
user = identity.get('user')
...
...
if notAuthenticated:
abort(401, 'You are not authenticated')
if isForbidden:
abort(403, 'You don\'t have rights to access this page')
...
