There are three primary concepts involved in online security, namely Authentication, Authorisation, and Access Control.
So, to authenticate someone, one must first have a way of internally representing the identity of that person. Having authenticated the person, one must then have a way of allocating entitlements to the person- that's authorisation. Having authorised someone for certain content, one also needs a way to control access to that content.
In Grok, the identity of one who may be authenticated is called a Principal.
In zope.pluggableauth.plugins, Grok provides a number of plugins for it's pluggable authentication utility (PAU) mechanism.
This mechanism allows one to implement a site specific authentication database and method. For example, using PAU we can access external SQL databases for login names and passwords, or authenticate against LDAP. The plugins provided out of the box are as follows:
From the above, the two most popular way of getting user credentials, is by using HTTP Basic Auth, or by using session based credentials.
The easiset way to add a database of users to your project, is to use a PrincipalFolder. This class already implements everything you need to store and authenticate principals.
Basic Auth is a standard where the browser stores user credentials, and responds directly to a challenge from the server by either popping up a login/password dialog or responding immediately to the challenge without user intervention.
Session based credentials makes use of a session cookie to associate credentials with the user as long as the session remains active.
The main disadvantages of each, is that one cannot easily log out of a Basic Auth session, while cookie based sessions expire forcing the user to log in after a period of inactivity.
The main advantages are that for Basic Auth, one only needs to log in once, while for sessions credentials, it is easy to support multiple users from within the same browser.
Session based credentials authenticate the user, while Basic Auth effectively authenticates the browser. Each method has it's place.