[Twisted-Python] Authentication & Access Control system for web services
George Pauly
george at ringdevelopment.com
Thu Mar 10 16:16:47 EST 2011
Allen,
In my very limited experience with Twisted,
On Thu, 2011-03-10 at 14:01 -0600, Allen Bierbaum wrote:
> I have been looking into this further and decided on an API that works
> as follows:
>
> - Use HTTPS for all requests
> - POST to /session to create a new session token
> - pass in username and password as parameters
> - returns token string to be used for all further communication
In the non-https case, roll a salt and other items (ip address, user
agent, etc) into a secondary session key on the server.
> - All further requests must have the token string which is used to
> lookup the user/session
> - on the server, the token will map to a user object to give me
> information about their access rights, etc.
>
that's all I've ever needed: use the session key (token) to access an
object array - the accessed object has all the twisty magic.
> Now the question is how does this fit into twisted's view of the
> world. The twisted web in 60 seconds tutorials [1] seem focused on
> using HTTP Auth for credential checking and a internal cookie
> (TWISTED_SESSION) for session management. Is there an easy way to
> adapt these to my needs or do I need to roll my own code for this type
> of twisted.web usage?
Now you've gone back to credentials - this is outside of my experience
with Twisted. Sessions are simple enough with Python alone in a twisted
app. I'll need to use credentials soon so I hope you get an answer.
Anybody using OpenID or webID instead of login/password? Could be
better...
>
> -Allen
>
George
--
George Pauly
Ring Development
www.ringdevelopment.com
More information about the Twisted-Python
mailing list