On Wed, 30 Mar 2011 09:15:59 -0500, "Jennings, Jared L CTR USAF AFMC 46 SK/CCI" jared.jennings.ctr@eglin.af.mil wrote:
- Get rid of the basic auth and use a form-based login
My 2cents: please keep basic auth, at least as an option. I really
dislike form-based login
Isn't authentication supposed to be just a wrapper application in WSGI, so your app doesn't have to worry about how it happens? Like "app_im_serving = authentication_wrapper(real_cobbler_app)" or somesuch?
In my environment we have to use smartcards for authentication. The effect on the server side is that an SSL client certificate is presented. Our (HTTPS only) servers must require this as part of the SSL/TLS handshake, so if an HTTP connection happens and a web app is summoned to reply with a page, the user is authenticated already, it's just a question of what they're authorized to do in Cobbler.
A successful authentication system based on our requirements should be dead easy to make - a dozen lines of Python or so - but it's essentially a third thing which isn't quite basic auth nor form-based login, and it may not legitimately be Cobbler's problem.
I think this is where we should be headed. However, we don't make use of WSGI or any of the python frameworks in meaningful ways. Right now we kind of use Django, but not completely enough to take advantage of where it gets stuff right.
Part of the problem is that cobbler-web depends on cobbler's view of authentication and authorization. Cobbler's view of that is a bit bare bones. To do this right we would have to drive authentication deep into cobbler or somehow pull it out of cobbler completely and only have it on the cobbler-web level. I'm not entirely sure what the proper direction is.