[Twisted-web] Sessions and Authentication for Web2

David Reid dreid at dreid.org
Thu Nov 17 12:09:42 MST 2005

On Nov 17, 2005, at 3:47 AM, glyph at divmod.com wrote:

> On Wed, 16 Nov 2005 13:48:12 -0500, "Clark C. Evans"  
> <cce at clarkevans.com> wrote:
>>  c) Exarkun expressed a strong (ok, mandatory) preference for the
>>     use of tw.cred in any Authentication solution.  However, it was
>>     noted that tw.cred does not allow for challenge-response
>>     authentication mechanisms (which all of mine are).  Specific
>>     examples were noted: twisted.protocols.sip, SASL, OTP
> Hmm.  How did you get this idea?  Cred's design was specifically to  
> facilitate challenge-response authentication.  That's why login()  
> takes credentials and returns a Deferred.  The assumption is that  
> the credentials object will encapsulate whatever facets of the  
> user's connection are required to do the negotiation process.

While it might be a valid assumption, there is no common public  
interface provided to facilitate it.  Perhaps because no one knows  
what that should look like, perhaps because no one felt it was  
necessary.  But I do believe that something like  
twisted.protocols.sip.IAuthorizer, that allows for an arbitrary  
number of round trips should be in cred, either the ICredentials  
interface should be extended (probably through a subclass) or a new  
interface should be created.  I'm toying with some ideas of how to  
best do this, but I don't really "get" cred so if you have any  
requirements other than arbitrary number of round trips, let me know  
so i can take those into account now rather than later.


More information about the Twisted-web mailing list