This article first appeared in the May 2009 issue of Python Magazine and has been slightly updated. The contents of the article are only applicable to repoze.who 1.0 and repoze.what 1.0, not repoze.who 2 and repoze.what 1.1 which are under development as of this writing.
Have you ever created a Web application? If so, it’s very likely that you have at one time or another faced “the security problem”; whether to create and maintain a homegrown security sub-system, or to learn to use framework-specific security mechanisms (which may not be as flexible as you wish).
Securing Web applications shouldn’t be a problem. This article explores a highly extensible alternative which you can learn once and use in arbitrary applications, regardless of the Web framework used (if any!).
Those still using TurboGears 1 will find a big improvement in the authentication and authorizarion area when they upgrade to version 2: TurboGears 2 ships with an easy-to-use, pluggable, extendable and well-documented authentication and authorization system, powered by repoze.who and tgext.authorization (whose documentation will be available along with TurboGears’ very soon).
Some of the features include:
- You may store your users’ credentials where you want – in a database, an LDAP server, an .htacess file, etc.
- You’ll be able to store your groups and permissions where you like too, but also use as much as group and permission sources as you need. What if your application’s main database already stores your groups and permissions data, but the company’s IT department needs to reuse their Htgroups file in the application? That would be a piece of cake.
- You’ll be able to manage your authorization settings with an API independent of the used source(s) (databases, Ini files, etc). Yes, add/edit/delete groups and/or permissions.
- You’ll be able to grant permissions to anonymous users (hopefully available this week).
- Do the above and more without writing too much code.
Right now there’s only the SQL plugin, so in the mean time you may still only store your groups and permissions in a SQLAlchemy or Elixir managed database, but very soon we’ll have the Ini plugin (to store groups and permissions in *.ini files) and even more.
In the future you’ll also be able to get OpenId authentication with a couple of lines of code (there’s a work in progress) and possibly OAuth authorization too.
And you may give it a try now! You can either try the latest code from the trunk or wait for the first TG2 beta which will hopefully be released in a couple of days.
Some weeks ago I was invited to make repoze.who.plugins.ldap an official repoze.who plugin, which means that:
- The license will change. It will use Repoze’s.
- The development tools will be migrated from Launchpad (bug tracker, repository, etc).
- The LDAP plugin’s documentation will be included into repoze.who’s.
- It will be maintained by Repoze commiters, and I’m one of them.
I’ve not started the migration, but I hope to start in a few days.
repoze.who.plugins.ldap is an straightforward yet powerful solution to enable LDAP authentication in your WSGI application. It enables you to have LDAP authentication working in your new or existing applications, in few minutes and with few lines of code!
It’s a plugin for the repoze.who framework, featuring not only an LDAP authenticator, but also related utilities. It’s a fully documented project which also ships with a working demo application, so it’d be hard for you to get stuck.
I wrote this plugin in order to enable LDAP authentication in Animador. And in fact, it’s the first application that uses the plugin.
The latest version is 1.0, and you’re highly encouraged to play with it and give feedback!
Visit its website for more information!