I got a subscription renewal invoice from Element K Journals in the mail today for Inside Microsoft Windows Server Security, Windows Security Online Answers On-Demand Service, and Microsoft Windows Server Security Discussion Forum.
OK. Now I get it. The whole Bundles thing hasn’t got really good usability, but it certainly is powerful.
I’m also doing a fail bit of Python development these days. TextWrangler just doesn’t handle expanding tabs into spaces correctly, and because indentation is significant to Python, this can be a huge problem.
I just committed the code for the TurboGears identity management support (revision 89). And because this is such new code, I thought it might be helpful to include a short How To for getting everything up and running.
This How To is written from the perspective of a fresh quick-started project, but most everything applies for existing projects. Read Identity Management for TurboGears »
I’ve been working on an authentication system for TurboGears and my forthcoming Content Management System.
I really wanted to support a REST interface to the admin console. For example:
GET /admin/user/jeff HTTP/1.1
Accept: text/javascript
Should return a JSON formatted object containing my user record. That actually works great.
All the frameworks I’ve looked at have poor authentication support. Some don’t have an authentication framework at all. Some support HTTP Basic Auth or HTTP Digest Auth. Others support form-based login withought HTTP auth.
Using form-based authentication is preferred for Web applications because you have complete control over the user experience. You can change the appearance of the login form; you can change the number and type of input fields; you can do anything.
HTTP Authentication has the advantage of simplicity. You can use HTTP auth to secure a folder on your Web server with only a few configuration parameters. You also have a surprising amount of flexibility with HTTP auth: your user records can be stored in a DB or in LDAP or in a flat file.
I’ve been working with TurboGears lately to build out the server-side of the CMS. One of TurboGear’s halmark features is the ability to seamlessly return either XHTML or Javascript objects in JSON format. That’s huge if you’re working with Ajax like I am. When you combine the JSON data with my DHTML Bindings Framework, you’ve got a really powerful toolset.
Ajax demands greater flexibility from authentication frameworks.
If you’re using Ajax with form-based authentication, what do you do if the user’s session expires and you need to redirect him to a login screen? I suppose you could send the HTML for the login screen back instead of JSON formatted objects, but your client-side code would have to be very smart.
Ideally, when building an Ajax application, you would respond with an HTML form for authentication when the browser requests an HTML page and an HTTP authentication error code when the browser uses an XMLHttpRequest to fetch a resource.
I’m going to build my own content management system. I’ll join the horde of open source (I suspect) CMSs. But I hope to be different, however, I’m not going to give away my secrets now.
Now I want to talk about authentication for Web applications. Read An Authentication Framework »