There are three primary concepts involved in online security, namely Authentication, Authorisation, and Access Control.

• Authentication is concerned about verifying the authenticity of the person, ensuring that he is who he says he is.
• Authorisation is the process of defining which features or information an authenticated person is allowed to access.
• Access Control is about making sure that the person can only access the application features and information he is entitled to.

So, to authenticate someone, one must first have a way of internally representing the identity of that person.  Having authenticated the person, one must then have a way of allocating entitlements to the person- that's authorisation.  Having authorised someone for certain content, one also needs a way to control access to that content.

In Grok, the identity of one who may be authenticated is called a Principal.

In zope.pluggableauth.plugins, Grok provides a number of plugins for it's pluggable authentication utility (PAU) mechanism. 

This mechanism allows one to implement a site specific authentication database and method.  For example, using PAU we can access external SQL databases for login names and passwords, or authenticate against LDAP. The plugins provided out of the box are as follows:

1. ftpplugins.FTPCredentialsPlugin  - A credentials extractor for FTP requests
2. generic.NoChallengeCredentialsPlugin - Used to prevent a challenge for credentials from happening
3. groupfolder.GroupFolder - A group folder allowing for groups of principals
4. httpplugins.HTTPBasicAuthCredentialsPlugin - Extract credentials using HTTP Basic Auth protocol
5. idpicker.IdPicker - A helper class that adds a number to identities to make them unique
6. principalfolder.PrincipalFolder - A persistent ZODB store and authenticator for principals.
7. session.SessionCredentialsPlugin - A session cookie based credentials extractor

From the above, the two most popular way of getting user credentials, is by using HTTP Basic Auth, or by using session based credentials.

The easiset way to add a database of users to your project, is to use a PrincipalFolder.  This class already implements everything you need to store and authenticate principals.

Comparing Basic Auth to Session based credentials

Basic Auth is a standard where the browser stores user credentials, and responds directly to a challenge from the server by either popping up a login/password dialog or responding immediately to the challenge without user intervention.

Session based credentials makes use of a session cookie to associate credentials with the user as long as the session remains active.

The main disadvantages of each, is that one cannot easily log out of a Basic Auth session, while cookie based sessions expire forcing the user to log in after a period of inactivity.

The main advantages are that for Basic Auth, one only needs to log in once, while for sessions credentials, it is easy to support multiple users from within the same browser. 

Session based credentials authenticate the user, while Basic Auth effectively authenticates the browser.  Each method has it's place.