[Twisted-web] [Nevow] new chapter about authentication

glyph at divmod.com glyph at divmod.com
Fri Aug 4 01:42:13 CDT 2006

On Tue, 01 Aug 2006 21:09:55 +0200, Manlio Perillo <manlio_perillo at libero.it> wrote:

>I have written a new chapter for authentication.
>It is still a draft (as always), and don't forget that I'm not an expert.

I've just had a few minutes to read your chapter.

Unfortunately I feel like it documents things exactly backwards.

If you have issues with guard's implementation strategy they should be dealt with in discussions of implementation, not by telling Nevow's users to ignore it.

Any discussion of authentication in Nevow should begin and end with guard, with perhaps a few footnotes about how one might deal with various security concerns.  cookies vs. hidden form fields vs. URL prefixes is not an application-level consideration.  Code examples should focus on how to _avoid_ polluting your application with dependencies on implementation details of your authentication mechanism.

Even without talking about integrating with other protocols (which is a _key_ feature of Nevow, as it is the only "twisted native" templating framework), asking every developer to re-implement authentication and choose between different security models and security properties of cookies vs. HTTPS vs. Basic vs. Digest is a recipie for disaster.  This is hard enough for guard to get right by itself.  It is nigh impossible to provide generic, protocol-level APIs and some light discussion of their security implications and still expect people to get it right on their own.

The "dos and don'ts" paper you cited repeatedly points out that security systems should not be written by people who are not experienced at doing such things: the collective experience of the community needs to be brought to bear to get ONE authentication system and API right for Nevow.

Now, guard is not currently as pluggable as it could be, but developers should be strongly encouraged to write to its API so that when we _do_ eventually start adding support for things like ActiveDirectory and OpenID, Nevow applications will generally work properly.

More information about the Twisted-web mailing list