[albatross-users] login integration challenges again
Matt Goodall
matt at pollenation.net
Thu Sep 25 05:40:28 EST 2003
On Wed, 2003-09-24 at 20:08, Eric S. Johansson wrote:
> Matt Goodall explained:
>
> > On Wed, 2003-09-24 at 19:08, Eric S. Johansson wrote:
> > If users must *always* be authenticated to use the application, and you
> > are not using Albatross in random mode, then the simplest solution is
> > probably to set the start page to your login page. Once the user
> > authenticates correctly call ctx.set_page() to move to the main
> > application page. If the user restarts the browser or the session times
> > out the user will be automatically sent back to the login page.
By the way, this is basically what the popview example does.
> the whole point behind authentication is that the user must be authenticated
> every step of the way no matter how they entered the application. For that
> reason, I'm coming to appreciate the "login wrapper" model even though it does
> appear to have problems with persistence. I need to investigate that a little
> further.
Keeping authentication code out of pages also helps make sure access
control isn't missed.
I generally use this sort of model and I often also assume no access
unless the authentication code says otherwise, i.e. the login page is
open to the public but everything else is proteced.
>
> > If you only want authentication to happen on first access to a protected
> > page then it would probably be best to override one of the Albatross
> > methods rather than scatter access control checks throughout your page
> > code.
> >
> > The two more obvious Albatross methods to override are set_page() and
> > page_enter(), I would have to look at the Albatross code to decide which
> > one to override. If the user is already authenticated then call the
> > parent class's version of the overridden method; if not then redirect()
> > or set_page() to your login page, passing enough information to return
> > to the current page later.
>
> this makes sense. To make sure I'm understanding what you are saying correctly,
> I would create a new variation on the albatross classes in which I override one
> of a couple of methods. In the overrides, I can redirect control if
> authentication fails.
Yes. Note that your application class is already a "variation of the
Albatross classes" as you inherited from the Albatross classes. You
should be able to override a method there.
> The only challenge with this model is that I'm not sure how to preserve the
> entire context.locals state so that it will be presented next time around just
> like it was the first time except with authentication.
Yep, that could be an interesting problem ;-).
Cheers, Matt
--
Matt Goodall, Pollenation Internet Ltd
w: http://www.pollenationinternet.com
e: matt at pollenation.net
t: +44 (0)113 2252500
More information about the Albatross-users
mailing list