[albatross-users] login integration challenges again

[Matt Goodall]

On Wed, 2003-09-24 at 20:08, Eric S. Johansson wrote:
> Matt Goodall explained:
> 
> > On Wed, 2003-09-24 at 19:08, Eric S. Johansson wrote:
> > If users must *always* be authenticated to use the application, and you
> > are not using Albatross in random mode, then the simplest solution is
> > probably to set the start page to your login page. Once the user
> > authenticates correctly call ctx.set_page() to move to the main
> > application page. If the user restarts the browser or the session times
> > out the user will be automatically sent back to the login page.

By the way, this is basically what the popview example does.

> the whole point behind authentication is that the user must be authenticated 
> every step of the way no matter how they entered the application.  For that 
> reason, I'm coming to appreciate the "login wrapper" model even though it does 
> appear to have problems with persistence.  I need to investigate that a little 
> further.

Keeping authentication code out of pages also helps make sure access
control isn't missed.

I generally use this sort of model and I often also assume no access
unless the authentication code says otherwise, i.e. the login page is
open to the public but everything else is proteced.

> 
> > If you only want authentication to happen on first access to a protected
> > page then it would probably be best to override one of the Albatross
> > methods rather than scatter access control checks throughout your page
> > code.
> > 
> > The two more obvious Albatross methods to override are set_page() and
> > page_enter(), I would have to look at the Albatross code to decide which
> > one to override. If the user is already authenticated then call the
> > parent class's version of the overridden method; if not then redirect()
> > or set_page() to your login page, passing enough information to return
> > to the current page later.
> 
> this makes sense.  To make sure I'm understanding what you are saying correctly, 
> I would create a new variation on the albatross classes in which I override one 
> of a couple of methods.  In the overrides, I can redirect control if 
> authentication fails.

Yes. Note that your application class is already a "variation of the
Albatross classes" as you inherited from the Albatross classes. You
should be able to override a method there.

> The only challenge with this model is that I'm not sure how to preserve the 
> entire context.locals state so that it will be presented next time around just 
> like it was the first time except with authentication.

Yep, that could be an interesting problem ;-).

Cheers, Matt

-- 
Matt Goodall, Pollenation Internet Ltd
w: http://www.pollenationinternet.com
e: matt at pollenation.net
t: +44 (0)113 2252500