[Twisted-Python] Authentication & Access Control system for web services

George Pauly george at ringdevelopment.com
Thu Mar 10 16:16:47 EST 2011


In my very limited experience with Twisted,

On Thu, 2011-03-10 at 14:01 -0600, Allen Bierbaum wrote:
> I have been looking into this further and decided on an API that works
> as follows:
> - Use HTTPS for all requests
> - POST to /session to create a new session token
>   - pass in username and password as parameters
>   - returns token string to be used for all further communication

In the non-https case, roll a salt and other items (ip address, user
agent, etc) into a secondary session key on the server.

> - All further requests must have the token string which is used to
> lookup the user/session
>   - on the server, the token will map to a user object to give me
> information about their access rights, etc.

that's all I've ever needed: use the session key (token) to access an
object array - the accessed object has all the twisty magic.

> Now the question is how does this fit into twisted's view of the
> world.  The twisted web in 60 seconds tutorials [1] seem focused on
> using HTTP Auth for credential checking and a internal cookie
> (TWISTED_SESSION) for session management.  Is there an easy way to
> adapt these to my needs or do I need to roll my own code for this type
> of twisted.web usage?

Now you've gone back to credentials - this is outside of my experience
with Twisted.  Sessions are simple enough with Python alone in a twisted
app.  I'll need to use credentials soon so I hope you get an answer. 

Anybody using OpenID or webID instead of login/password?  Could be

> -Allen

George Pauly
Ring Development

More information about the Twisted-Python mailing list