[Twisted-Python] Is it necessary to utilize twisted.cred in twisted web?
Phil Christensen
phil at bubblehouse.org
Mon Oct 5 23:31:50 MDT 2009
crossposted to twisted-web at twistedmatrix.com, which is probably a
better venue...
On Oct 6, 2009, at 12:08 AM, biziap biziap wrote:
> I have googled this topic and found and example in
> (A) http://www.mail-archive.com/twisted-web@twistedmatrix.com/msg01796.html
> well, another simpler example is
> (B) http://www.mail-archive.com/twisted-web@twistedmatrix.com/msg01788.html
>
> My questions are:
> 1. Does the approach in (A) be recommended? To generate resource
> dynamically seems not efficient and not necessary for simple scenario.
> Is there other way to bind twisted.cred and twisted.web together?
> (except the deprecated twisted.web.guard)
There's a few problems with this approach. The biggest is that it
requires username/password data to be sent on every authenticated
request.
Another one is more of a design principle; that you shouldn't have
account/permissions code inside resource display code. I violate this
principle all the time ;-)
The use of dynamic resource instantiation is a common idiom in
twisted.web coding, though. it isn't inherently inefficient, as long
as your resource objects are fairly sane.
> 2. The approach in (B) which suggests that request.getSession() along
> is quite enough to implement an simple authentication feature. Here
> the "simple scenario" means to guard some resource with username and
> password.
> To do it: In a protected resource, just to check for a flag in the
> session, if failure, then redirect to login page. If succeeded, render
> the resource. Why shall we bother the portal, credentials,
> checker,.... ?
true, depending on your needs, this may be all that you need. from
your description, though, it sounds like you'd be doing this
authentication step in every resource you want to protect, which could
become tedious (aka error-prone) in a big project.
twisted.cred can seem daunting when you're just trying to protect a
trivial web resource or two, but for more advanced uses like more
complicated authentication levels, it's worth the time to learn. also,
a big part of its real value comes when you need to support a variety
of protocols and/or authentication types.
-phil
More information about the Twisted-Python
mailing list