[Zope3-Users] changing behaviour of PAU SessionCredentialsPlugin

Stephan Richter srichter at cosmos.phy.tufts.edu
Mon Jan 8 03:04:34 EST 2007


On Thursday 16 November 2006 12:05, Dominique Lederer wrote:
> > i would like to change the behaviour of extractCredentials in the
> > SessionCredentialsPlugin of the PAU.
> >
> > i´m still fighting a bit with the framework:
> >
> > would i use an adapter for this, or subclassing?
> > or would i use the override directive somehow?
>
> hi, made it by subclassing, just feels good to me at the moment.

Yes, that's what I would have done.

> but there is another question:
>
> i´m building a mysql authentification, which should not look up users
> (in the mysql database) on every request. to do this i write
> authenticated users PrincipalInfo to a browserid Session. so the user
> gets authenticated by principalinfo in the session and sometimes (on
> login for sure, and when an custom timestamp expires) by lookup in the
> external usertable.
>
> this works, but i had to write all the code in the Credentialsplugin, to
> have access to the request object, which i need for adapting with
> ISession. My authenticator just passes the principalinfo through.
>
> is there any way to get the request object to be accessable in an PAU
> AuthenticatorPlugin?
>
> any other comments on my approach?

I think this might be a potential security flaw too, since the user can still 
login after his permission has been denied in the RDB. Anyways, instead of 
the session I would probably use a RAMCache and write a Credentialsplugin 
that knows how to use that cache. This way you do not need the request 
around, which seems wrong.

Regards,
Stephan
-- 
Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training


More information about the Zope3-users mailing list