Changeset 128

Timestamp:

09/30/07 18:11:20

Author:

thejimmyg

Message:

Documentation fixes

Files:

• AuthKit/trunk/AuthKit.egg-info/PKG-INFO (modified) (3 diffs)
• AuthKit/trunk/AuthKit.egg-info/SOURCES.txt (modified) (1 diff)
• AuthKit/trunk/CHANGELOG.txt (moved) (moved from AuthKit/trunk/CHANGELOG) (1 diff)
• AuthKit/trunk/LICENSE.txt (modified) (1 diff)
• AuthKit/trunk/README.txt (modified) (1 diff)
• AuthKit/trunk/authkit/authenticate/sso/__init__.py (modified) (1 diff)
• AuthKit/trunk/authkit/authenticate/sso/api.py (modified) (1 diff)
• AuthKit/trunk/authkit/template/__init__.py (modified) (1 diff)
• AuthKit/trunk/authkit/users/__init__.py (modified) (6 diffs)
• AuthKit/trunk/authkit/users/postgresql_driver.py (modified) (2 diffs)
• AuthKit/trunk/authkit/users/sqlalchemy_driver.py (modified) (2 diffs)
• AuthKit/trunk/docs/index.txt (modified) (1 diff)
• AuthKit/trunk/docs/manual.txt (modified) (1 diff)
• AuthKit/trunk/docs/pylons.txt (modified) (1 diff)
• AuthKit/trunk/setup.cfg (modified) (2 diffs)
• AuthKit/trunk/setup.py (modified) (2 diffs)

AuthKit/trunk/AuthKit.egg-info/PKG-INFO

@@ -1 +1 @@
-Metadata-Version: 1.0
-Name: AuthKit
-dev-r124
+-r127
-Summary: An authentication and authorization toolkit for WSGI applications and frameworks
-Home-page: http://authkit.org/
@@ -8 +8 @@
-License: MIT
-Description: 
+        AuthKit
+        +++++++
+        
+        .. contents ::
+        
+        Summary
+        =======
+        
-        *   Built for WSGI applications and middleware
-        *   Sophisticated and extensible permissions system
- authentication
-mehtods plus others.
+
+authentication methods plus others
-        *   Easily define users, passwords and roles
-        *   Designed to be totally extensible so you can use the components to integrate
-.
-.
+
+
-        
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-        
-        Get Started
@@ -47 +32 @@
-        
-        * `Download and Installation <http://python.org/pypi/AuthKit/0.4.0>`_
-AuthKit Manual <http://authkit.org/docs/manual.html>`_
-* `Module Reference <http://authkit.org/docs/module-index.html>`_
-Pylons Integration Manual <http://authkit.org/docs/pylons
+Pylons Book <http://pylonsbook.com>`_ (the two chapters on Authentication and
+Authorization and Advanced AuthKit form the AuthKit 0.4 documentation)
+Module Reference <http://authkit.org/docs/0.4/module-index
-        * `Trac <http://authkit.org/trac>`_ - Tickets, Wiki, Subversion
-        * `Examples <http://authkit.org/trac/browser/AuthKit/trunk/examples>`_
-        
+        Author
+        ======
+        
+        `James Gardner <http://jimmyg.org/>`_ james at pythonweb dot org
+        
+        Development sponsored by `3aims <http://3aims.com/>`_ and
+        `Prometheus Research <http://www.prometheusresearch.com/>`_.
+        
+        
+        Changes
+        =======
+        
+        0.4 (**svn**)
+        
+        *** AS A RESULT OF THESE CHANGES THE DOCS ARE CURRENTLY OUT OF DATE ***
+        
+        * Added support for encrypted passwords
+        * Fixed the IE7 bug in digest middleware
+        * Adding SSO sub-directory, redirecting API, and CAS auth handler.
+        * Fixed binding check to return none, instead of throwing an Exception (for
+        performance reasons).
+        * Moved start_response check outside of app_iter consumption since it must be
+        called by this point to comply with WSGI.
+        * Fixed consumption app iter in multi, loading entire response into ram.
+        * Adding changelog
+        * Added IP and Time based permission objects
+        * Started unit tests
+        * Extended the user management API and added SQLAlchemy driver and example
+        * Restructured the authenticate middleware into induvidual pluggable components
+        * Simplified the configuration file system
+        * Added OpenID dependencies
+        * Removed the larger SQLAlchemy based demos
+        * The cookie module uses ``authkit`` as a default cookie name, not ``auth_tkt``.
+        Any code which does anything manually with this cookie needs the name changing
+        if it wasn't explicitly set to ``auth_tkt`` in the config file.
+        
+        0.3.0pre5
+        
+        * Changed the arguments to the authkit.authenticate.middleware() factory. You
+        will need to update your middleware setup to use app_conf instead of
+        config_paste for the app_conf dictionary.
+        
+        0.3
+        
+        * Re-written from scratch to be a modular toolkit for building your own auth
+        framework rather than an all-in-one solution.
+        
+        0.2
+        
+        * Re-written from scratch so to use SQLAlchemy only, old driver system considered
+        unnecessary and limiting. Also doesn't fit in with current Pylons
+        best-practice.
+        
+        0.1
+        
+        * Based on the web.auth 0.6 module from www.pythonweb.org, support for SQLObject
+        driver included
+        
+        
+        License
+        =======
+        
+        Copyright (c) Copyright 2005-2007 James Gardner <james at pythonweb dot org>
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in
+        all copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+        THE SOFTWARE.
+        
+        
+        Download
+        ========
+        
-Platform: UNKNOWN

AuthKit/trunk/AuthKit.egg-info/SOURCES.txt

@@ -1 @@
-
+.txt
-LICENSE.txt
-README.txt

AuthKit/trunk/CHANGELOG.txt

@@ -1 +1 @@
-Changes
-
+
-
-0.4 (**svn**)

AuthKit/trunk/LICENSE.txt

@@ +1 @@
+License
+=======
+
-Copyright (c) Copyright 2005-2007 James Gardner <james at pythonweb dot org>
-

AuthKit/trunk/README.txt

@@ -1 @@
-setup.py
+docs/index.txt
-

AuthKit/trunk/authkit/authenticate/sso/__init__.py

@@ -15 +15 @@
-
-.. admonition :: sources
+
-    # http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci340859,00.html
-    # http://en.wikipedia.org/wiki/Single_sign-on

AuthKit/trunk/authkit/authenticate/sso/api.py

@@ -51 +51 @@
-        like so:
-        
-
+-block
-            
-            class MyRedirectMiddleware(RedirectingAuthMiddleware):

AuthKit/trunk/authkit/template/__init__.py

@@ +1 @@
+"""\
+Paster create template for creating your own authentication methods.
+"""
-from paste.script.templates import BasicPackage
-

AuthKit/trunk/authkit/users/__init__.py

@@ -14 +14 @@
-The implementation consists of the following:
-
-    
-    
-    
-    
-    
-    
-    
-    
-    
-
-    
-    
-    
-
-    
-    
-    
-
-    
-    
-    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-Of course since the user management API is fairly generic, it is possible to
@@ -61 +61 @@
-import md5 as _md5
-from authkit.authenticate import AuthKitConfigError
-from authkit.authenticate import AuthKitConfigError
-
-#
@@ -256 +255 @@
-    def user(self, username):
-        """
-
+
+
+
-        
-            {
@@ -264 +265 @@
-                'roles':    [role1,role2,role3... etc]
-            }
+
-        The role names are ordered alphabetically
-        Raises an exception if the user doesn't exist.
@@ -456 +458 @@
-    def user(self, username):
-        """
-
+
+
+
-        
-            {
@@ -464 +468 @@
-                'roles':    [role1,role2,role3... etc]
-            }
-
+
+
-        Raises an exception if the user doesn't exist.
-
+    
-        username = username.lower()
-        if not username in self.usernames:

AuthKit/trunk/authkit/users/postgresql_driver.py

@@ -336 +336 @@
-    def user(self, username):
-        """
-
+
+
+
-        
-            {
@@ -344 +346 @@
-                'roles':    [role1,role2,role3... etc]
-            }
-
+
+
-        Raises an exception if the user doesn't exist.
-        """

AuthKit/trunk/authkit/users/sqlalchemy_driver.py

@@ -291 +291 @@
-    def user(self, username):
-        """
-
+
+
+
-        
-            {
@@ -299 +301 @@
-                'roles':    [role1,role2,role3... etc]
-            }
+
-        The role names are ordered alphabetically
-        Raises an exception if the user doesn't exist.

AuthKit/trunk/docs/index.txt

@@ -2 +2 @@
-+++++++
-
+.. contents ::
+
+Summary
+=======
+
-*   Built for WSGI applications and middleware
-*   Sophisticated and extensible permissions system
- authentication 
-mehtods plus others.
+
+authentication methods plus others
-*   Easily define users, passwords and roles
-*   Designed to be totally extensible so you can use the components to integrate
-.
-.
+
+
-    
-
+
+
-
-Get Started
-===========
-
->`_ (choose the latest version)
-AuthKit Manual <http://authkit.org/docs/manual.html>`_
-
-Pylons Integration Manual <http://authkit.org/docs/pylons
+0.4.0>`_
+Pylons Book <http://pylonsbook.com>`_ (the two chapters on Authentication and
+
+Module Reference <http://authkit.org/docs/0.4/module-index
-* `Trac <http://authkit.org/trac>`_ - Tickets, Wiki, Subversion
-* `Examples <http://authkit.org/trac/browser/AuthKit/trunk/examples>`_
-
-Status
-======
-
-AuthKit is not quite finished. It hasn't been used in production yet and will almost certainly have some bugs.
-
-Author
-======
-
-www.3aims.com
+jimmyg.org
-
-
+
+
+

AuthKit/trunk/docs/manual.txt

@@ -2 +2 @@
-++++++++++++++
-
-
+
-
-
-
+
+
-
-.. note::
-
-    This version of AuthKit (0.4) is nothing like the old AuthKit 0.2
-    which used to be hosted in the Pylons SVN. This version is a
-    generic framework, the old version was a specific implementation.
-
-.. contents:: Table of Contents
-.. sectnum::
-
-.. warning::  
-    
-    AuthKit has not been audited by a security expert, please use with
-    caution at your own risk (or better yet, report security holes). 
-
-Any comments, suggestions or improvements would be gratefully received on the
-`Pylons mailing list <http://groups.google.com/group/pylons-discuss>`_.
-
-Credits
-=======
-
-The middleware components of AuthKit make heavy use of `Paste
-<http://pythonpaste.org>`_.
-
-The Basics
-==========
-
-When writing a web application you frequently come across the problem of
-needing to restrict which visitors can see which pages. This problem can be
-split into two parts.
-
-Authentication
-
-    The process of proving who the visitor is. Usually they will
-    enter a username and password to prove their identity and the web application
-    will set a cookie so that when they visit other pages on the site the
-    application will be able to remember who the visitor is without needing to ask
-    for their username and password again.
-
-Authorization
-
-    The process of checking that an authenticated vistor has
-    permission to see a particular page they are requesting.
-
-These two parts are quite separate but often become confused becuase
-information about who can be authenticated and what authorization permissions
-each user has is often stored in the same place, for example a database or LDAP
-repository.
-
-Because authorisation and authentication information typically comes from a 
-variety of different sources any one solution (eg an SQL database) is not 
-necessarily going to fit your requirements AuthKit provides a framework you
-can tweak to fit your requirements.
-
-AuthKit is therefore a WSGI framework that provides a sensible structure for implementing
-your own auth system. It also provides some sample implementations of the 
-framework so that you can add full authentication and authorisation to your 
-Web Server Gateway Interface project with just a few lines of code if you 
-prefer not to imlement your own system.
-
-This document will take you through some different ways of restricting access
-to your site with AuthKit starting simply and getting more sophisticated.
-
-The AuthKit Architecture
-========================
-
-The AuthKit functionality is separated into the following classes of components:
-
-Authentication Middleware
-
-    All authentication can be handled transparently by a middleware component so
-    that your application doesn't need to worry about how to sign users in. This
-    means you can change how your users are authenticated without changing any
-    of your application code.
-
-    The authentication middleware can intercept 401 and 403 responses so that
-    the rest of you application doesn't even need to use AuthKit in order for
-    the authenticate part to work.
-    
-    In a WSGI application it is as simple as:
-    
-    .. code-block:: Python
-    
-        start_response('403 Access denied', [])
-
-    In Pylons this is as simple as writing:
-
-    .. code-block:: Python
-    
-        abort(401)
-
-    The authenticate middleware supports the methods HTTP basic, HTTP digest,
-    form and cookie (with sign out), OpenID passurl or internal forward to
-    application. The middleware is either configured directly, from a generic
-    config file or a paste deploy setup. 
-
-    If you are using paste deploy you can add the middleware and set::
-
-        authkit.enable = false
-
-    in your config to disable it. One way of enabling it is to do something
-    like this::
-
-        authkit.enable = true
-        authkit.setup.method = basic
-        authkit.users = james:bananas      
-                        ben:apples
-
-    Any 401 status will now be handled and james can sign in with password
-    bananas and ben with apples. Nice and easy eh?
-
-    Of course there is a lot more to AuthKit. All the options are described 
-    in this manual.
-
-Permission Objects
-
-    An auth system should provide a way to check user permissions and has to
-    facilitate the developer in authorising a user at any point in the application
-    stack that the developer feels is appropriate.
-
-    AuthKit solves this requirement with permission objects used like this::
-
-        from authkit.permissions import *
-        permission1 = UserIn(users=['ben','james'])
-        permission2 = And(RemoteUser(), Not(UserIn(['james'])))
-
-    You can use existing permissions or define them yourself.
-
-    Permissions have access to the WSGI ``environ`` dictionary and
-    ``start_response`` callable so as well as being based on information from a
-    database or LDAP repository they could be based on information from the request
-    or even the resposne and have all the flexibility and power of WSGI middleware.
-
-Authorization Objects
-
-    Permission objects need to be checked in different ways depending on where 
-    in the applicaiton stack the check occurs. There are different authorization
-    objects for use in different parts of a WSGI application but they all have
-    the same effect of requiring the user to be authorized based on the 
-    permission object
-
-    If a permission check fails a NotAuthorizedError or NotAuthenticatedError
-    is raised by the authorisation object. This stops the request and is eventually
-    handled by the ``httpexceptions`` middleware which turns it into a response
-    with a 401 or 403 status code to be handled by the authentication middleware.
-
-Using the above features it is possible to build a sophisticated auth system. 
-AuthKit goes further though and also defines other objects which you can use
-as they stand, ignore completely or modify for your use:
-
-User Management API
-
-    AuthKit provides a simple read-only, extensible user management API and 
-    permissions objects to use it. It allows you to get started straight away. 
-   
-    If you want to be able to use the exisitng permissions you can implement 
-    a user management API compatible with the AuthKit one and the existing 
-    funcationality will work.
-
-    If you want to start from scratch, all the authentication methods provide 
-    a means of handling user management yourself.
-
-Framework Adaptors
-
-    Although AuthKit provides a totally generic API it also has built in 
-    support for configuration via Paste Deploy config files and comes with
-    the authkit.pylons_adaptors module which provides tools for integrating
-    AuthKit into Pylons quickly and easily. 
-
-    It is hoped other framework developers will also implement version of 
-    AuthKit and the developers would be keen to assist with any such efforts.
-
-The best way to expalin the various components and how they all fit together is
-with some examples so lets get started.
-
-Authentication Middleware
-=========================
-
-Configuration
--------------
-
-First of all we need a middleware component to intercept responses with 401
-status codes so that the user can be prompted to sign in. This is done using
-``authkit.authenticate`` middleware:
-
-.. code-block:: Python
-
-    from authkit import authenticate
-    app = authenticate.middleware(
-        app,
-        config_paste=None,
-        config_file=None,
-        prefix='authkit.',
-        **options
-    )
-
-The authenticate middleware takes the WSGI application as the first parameter.
-You can then choose to specify all the configuration options directly as
-keyword arguments in the Python code that sets up the middleware or to use a
-`Paste deploy config file <http://pythonpaste.org/deploy>`_. If you choose to
-use a config file you can either specify the filename with ``config_file`` or
-if you have already parsed the config file you can specify ``config_paste``
-which should be the ``paste.deploy.CONFIG['app_conf']`` dictionary.
-
-AuthKit automatically converts any ``.`` characters in the config file keys to
-``_`` characters and it also strips off the ``prefix`` defined when inilialising
-the middleware. If you don't set ``prefix`` it defaults to ``authkit.``. This 
-means that options such as ``cookie_signoutpath`` used by AuthKit can be written in 
-the slightly more descriptive and clean form ``authkit.cookie.signoutpath`` in the
-config file.
-
-.. note ::
-
-    Throughout the documentation we will describe configuration options in terms
-    of the configuration file keys because this is likely to be how you configure
-    AuthKit but in examples we will use the direct AuthKit options because we 
-    don't want to clutter the examples with config parsing code. Please be aware
-    that the two ways of specifying AuthKit options have the same effect.
-
-If you are using Paste Deploy or Pylons you can put these options in the
-``[app:main]`` section and setup your middleware stack as follows:
-
-.. code-block:: Python 
-
-    from authkit.authenticate import middleware
-    from paste.deploy import CONFIG
-    app = middleware(app, config_paste=CONFIG['app_conf'))
-
-If you want to load the configuration from a plain file you can do so as follows:
-
-.. code-block:: Python 
-
-    from authkit.authenticate import middleware
-    app = middleware(app, config_file='/path/to/authkit.conf')
-
-You can still specify parameters in conjunction with using a config file. Any
-parameters specified in code will replace those specified in the config file
-and a warning will be issued.
-
-There are some options such as ``authkit.users.valid`` and
-``authkit.users.digest`` which take functions when used as parameters
-from within code. In a config file these varibles should specify the module
-path of the function to use in the format ``module_path:function``. For
-example:: 
-
-    authkit.users.valid = authkit.authenticate:valid_password
-
-Advanced Configuration Options
-------------------------------
-
-You can also specify some other configuration variables:
-
-authkit.enable
-    If no options have been supplied in code when configuring the AuthKit
-    middleware it is assumed that authkit has been deployed as part of a framework
-    and will therefore not be enabled unless ``authkit.enable`` is set to ``true``.
-    Setting ``authkit.enable`` to ``false`` in the config file will always disable
-    the authkit middleware. If no value is set the authkit middleware is disables
-    and a warning logged.
-
-authkit.catch
-    If specified should be a comma separated list of status codes you would
-    like the authkit middleware to respond to. For example if you want 403
-    Unauthorized pages to also prompt the visitor to sign in you could do this::
-
-        authkit.catch = 401, 403
-
-    If you wanted only authenticated users to see error reports you could use::
-        
-        authkit.catch = 500
-
-    If you wanted all pages to require an authenticated user you could use::
-    
-        authkit.catch = * 
-    
-    If not specified authkit responds only to 401 status codes.
-
-authkit.exclude
-    If ``authkit.catch`` is set to ``*`` you can specifically set codes not to
-    catch using ``authkit.exclude``. For example to require authentication for all
-    status codes except 500 and 404 you could do this::
-
-        authkit.catch = *
-        authkit.exclude = 500, 404
-
-Authentication Methods
-----------------------
-
-Once the basic configuration is set up the first thing to decide is how you
-want to authenticate users. The options for the ``method`` parameter are:
-
-``basic`` 
-
-    Use HTTP basic authorisation
-
-``digest``
-
-    Use HTTP digest authentication 
-
-``form``
-
-    Use a cookie and simple HTML form generated by the middleware
-
-``forward`` 
-
-    Internally forward the request to a specified URL so the
-    application can present a form to the user and handle sign in itself
-    
-``passurl``
-
-    Use an OpenID passurl for authentication
-
-As mentioned before you can specify this in your code as
-``method="basic"`` or in your config file as ``authkit.setup.method =
-basic``. If you try to specify the same option using both methods an
-error is raised, otherwise AuthKit tries to use all the options from
-both sources.
-
-Each of these options is described in detail in the following sections.
-
-Basic HTTP/1.0 Authentication
------------------------------
-
-The ``basic`` method is an implementation of basic authentication as described in
-HTTP/1.0 specification [1]_ .  
-
-.. warning:: Do not use this example in production sites unless you are using
-    SSL or need to work with very out-dated clients because the password entered is
-    transmitted in plain text, instead use `Digest HTTP/1.1 Authentication`_ 
-    described below.
-
-HTTP Basic Authentication is perhaps the easiest way to add authentication to
-your website. When your application returns a 401 status code the visitor's
-browser will promot them for a username and password if they haven't already
-signed in. 
-
-The AuthKit middleware will check the username and password and sign in the
-visitor only if password was correct.
-
-The code looks like this:
-
-    .. include:: ../examples/docs/basic.py
-        :literal:
-   
-The ``realm`` parameter is an identifier for the authority that is
-requesting authorization. It is shown to the user and should be unique within
-the domain it is being used. If it isn't specified, a default of ``AuthKit`` is
-used.
-
-The parameter ``users_valid`` should be a function that returns ``True``
-if the username and password are correct and ``False`` otherwise. The example
-above will allow anyone with a password that is the same as their username to
-sign in. In this case not entering a username or password is therefore allowed.
-This isn't very secure so you should customise the function to suit
-your setup.
-
-.. note::
-
-    Bear in mind that in authentication systems usernames are usually
-    case *insensitive* and passwords are case *sensitive*. Your users will
-    probably expect your system to follow this general rule.
-
-If the visitor presses Cancel they will be shown the 403 Unauthorized response.
-
-If a user has been signed in the ``REMOTE_USER`` environment variable will be
-set with their username so you can access it in your application code as
-``environ['REMOTE_USER']``.
-
-The example above is available in the ``examples/docs`` directory and can be 
-run with::
-
-    python basic.py
-
-If you run the program you will be able to visit http://localhost:8080 but will
-be prompted to sign in if you visit http://localhost:8080/private and any
-username password combination where the username is the same as the password
-will sign you in any you will notice the ``REMOTE_USER`` variable will be set. 
-
-.. note::
-
-    HTTP authentication does not easily support signing out so you will
-    need to close the browser to test the example again.
-
-Digest HTTP/1.1 Authentication
-------------------------------
-
-This module implements ``Digest`` authentication as described by RFC 2617 [2]_
-. At this time, this implementation does not provide for further challenges,
-nor does it support Authentication-Info header. It also uses md5, and an
-option to use sha would be a good thing.
-
-Digest authentication is similar to basic authentication but rather than
-sending the password unencrypted you send an encrypted digest so the security
-is slightly better.
-
-The code looks like this:
-
-    .. include:: ../examples/docs/digest.py
-        :literal:
-
-Note that the ``digest()`` function takes different parameters from the
-``valid()`` function we used in the HTTP basic authentication. Also rather than
-returing ``True`` or ``False`` the function should use the
-``digest_password()`` function from ``authkit.middleware.digest`` to return a
-digest.
-
-Form-Based Authentication
--------------------------
-
-One of the drawbacks of HTTP authentication is that the user can't easily sign
-out without closing the browser window. A form and cookie based solution is
-therefore preferable for most web applications.
-
-With this method if the user accesses a page that returns a 401 status code, the
-AuthKit middleware intercepts it and displays a form for the user to sign in.
-The template to use is supplied when configuring the middleware or a default is
-used if none is specified. If the user's sign in is incorrect they are shown
-the form again.
-
-Since the authentication form is submitted (via POST) neither the PATH_INFO nor
-the QUERY_STRING are accessed, and hence the current path remains _unaltered_
-through the entire authentication process. If authentication succeeds, the
-REQUEST_METHOD is converted from a POST to a GET and the page the user was
-trying to view is displayed, so that a redirect is unnecessary (unlike most
-form auth implementations).
-
-Here is a working example:
-
-    .. include:: ../examples/docs/form.py
-        :literal:
-
-The ``form`` method can use the same ``valid()`` authenticate function as that
-used by the HTTP basic method but this example uses an alternative method
-making use of the AuthKit user management API. This is described in detail
-later but provides a very quick and easy way of specifying users, passwords,
-groups and roles.
-
-The example also specifies a ``cookie_secret`` which is a string used to help
-make the encryption on the cookie more random and a ``cookie_signoutpath``
-parameter which is a special path which should automatically sign the user out
-when visited but will still display the resulting page so that your application
-can display a signed out message. There are lots of cookie options you can
-specify including the name, and expire time and more. These are all described
-in the cookie options section later.
-
-If you run the example and visiting http://localhost:8080/private the sign in
-form will be displayed. If you sign in with a username that is the same as the
-password you will be signed in. If you visit http://localhost:8080/signout you
-will see the data as usual but if you press refresh you will notice that you
-have also been signed out.
-
-.. note:: 
-
-    If you would like your application to handle the creation of the form, the
-    sign in process and sign out manually so that you have complete control over
-    the authentication process you should use the ``forward`` method.
-
-You can also configure the template used in the form. There are three ways to 
-do this. The first is to specify the ``form_template`` option with the new
-template. 
-
-The template should contain the characters ``%s`` which will be replaced with
-the correct action URL. Any other ``%`` characters should be escaped by 
-writing them as ``%%``. The form should also contain fields named ``username``
-and ``password`` and should use the ``POST`` method. Here is an example::
-
-    form_template = """\
-    <html>
-      <head><title>Please Login!</title></head>
-      <body>
-        <h1>Please Login</h1>
-        <form action="%s" method="post">
-          <dl>
-            <dt>Username:</dt>
-            <dd><input type="text" name="username"></dd>
-            <dt>Password:</dt>
-            <dd><input type="password" name="password"></dd>
-          </dl>
-          <input type="submit" name="authform" />
-          <hr />
-        </form>
-      </body>
-    </html>
-    """
-
-You can also specify ``form_template_file`` which should be a file containing
-the template with the same escaping as described above or ``form_template_obj``
-which should be the Paste eval_import style path to a string object in an
-existing module containing the template or a callable that returns a string.
-For example::
-
-    form_template_obj = authkit.authenticate.form:template
-
-Forwarding
-----------
-
-Arguably the most flexible and powerful system for authentication is for the
-middleware to internally forward the request to a different part of the
-application if a 401 status is intercepted. The application itself is then
-responsible for displaying that page to take care of displaying a sign in form,
-authenticate a user, set a cookie and sign the user out in whichever
-way the application author thinks is best.
-
-The foward middleware sets up the cookie middleware used by the ``form`` method
-but you still need to manually set the cookie after the user has signed in
-using your own custom sign in form which you would have implemented yourself.
-
-The cookie can be set like this:
-
-.. code-block:: Python
-
-    environ['paste.auth_tkt.set_user'](username)
-
-If you specify a ``cookie_signoutpath`` path when you set up the authentication
-middleware the user will be signed out automatically when visiting that path
-but you will still need to display a "signed out" path at that URL or the user
-will see a 404 page and think they haven't been signed out.
-
-Alternatively you can sign out the user manually by setting a cookie with the
-same name but no value or using the ``environ['paste.auth_tkt.logout_user']()``
-method documented here: http://pythonpaste.org/module-paste.auth.auth_tkt.html 
-
-Here is a simple complete example:
-
-    .. include:: ../examples/docs/forward.py
-        :literal:
-
-.. note:: 
-
-    If you are using any of the examples shown so far with permissions objects (described later) 
-    you will also need to include the paste httpexceptions middleware otherwise
-    the ``NotAuthorizedError`` and ``NotAuthenticatedError`` errors will not be
-    converted to status codes which the authenticate middleware use.
-
-    You can set this up by adding the following lines before you add the 
-    authenticate middleware:
-
-    .. code-block:: Python
-
-        from paste import httpexceptions
-        test_app = httpexceptions.middleware(test_app)
-        
-A full description of the cookie options you can use is described in the cookie options
-section.
-
-OpenID Passurl
---------------
-
-Perhaps the simplest way of handling authentication in your application is to
-use OpenID. With OpenID the user enters their identity URL and the middleware
-contacts the identity provider associated with the URL. The identity provider 
-then handles the authentication and replies to tell the middleware if the user