""" Simple BFG application demonstrating use of repoze.who in "hybrid" mode.
- repoze.who middleware intercepts and validates existing request credentials,
leaving 'REMOTE_USER' in the WSGI environ if they are OK.
- Application handles login / logout directly, using the repoze.who API
to validate credentials and set headers.
"""
import logging
import os
import sys
from StringIO import StringIO
from paste.httpserver import serve
from repoze.bfg.authentication import RemoteUserAuthenticationPolicy
from repoze.bfg.authorization import ACLAuthorizationPolicy
from repoze.bfg.configuration import Configurator
from repoze.bfg.security import Allow
from repoze.bfg.security import Authenticated
from repoze.bfg.security import DENY_ALL
from repoze.bfg.security import Everyone
from repoze.who.api import get_api
from repoze.who.interfaces import IChallenger
from repoze.who.middleware import PluggableAuthenticationMiddleware as PAM
from repoze.who.plugins.basicauth import BasicAuthPlugin
from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin
from repoze.who.plugins.redirector import RedirectorPlugin
from repoze.who.plugins.htpasswd import HTPasswdPlugin
from repoze.who.classifiers import default_request_classifier
from repoze.who.classifiers import default_challenge_decider
from webob import Response
from webob.exc import HTTPFound
LINK = '