[albatross-users] login integration challenges again

[Eric S. Johansson]

Matt Goodall explained:

> On Wed, 2003-09-24 at 19:08, Eric S. Johansson wrote:
> If users must *always* be authenticated to use the application, and you
> are not using Albatross in random mode, then the simplest solution is
> probably to set the start page to your login page. Once the user
> authenticates correctly call ctx.set_page() to move to the main
> application page. If the user restarts the browser or the session times
> out the user will be automatically sent back to the login page.

the whole point behind authentication is that the user must be authenticated 
every step of the way no matter how they entered the application.  For that 
reason, I'm coming to appreciate the "login wrapper" model even though it does 
appear to have problems with persistence.  I need to investigate that a little 
further.

> If you only want authentication to happen on first access to a protected
> page then it would probably be best to override one of the Albatross
> methods rather than scatter access control checks throughout your page
> code.
> 
> The two more obvious Albatross methods to override are set_page() and
> page_enter(), I would have to look at the Albatross code to decide which
> one to override. If the user is already authenticated then call the
> parent class's version of the overridden method; if not then redirect()
> or set_page() to your login page, passing enough information to return
> to the current page later.

this makes sense.  To make sure I'm understanding what you are saying correctly, 
I would create a new variation on the albatross classes in which I override one 
of a couple of methods.  In the overrides, I can redirect control if 
authentication fails.

The only challenge with this model is that I'm not sure how to preserve the 
entire context.locals state so that it will be presented next time around just 
like it was the first time except with authentication.

> 
> Hope this helps.

as always, it does.

---eric