[Twisted-web] Finer-Grained Security System for Twisted Web/Nevow?
Jeff Rush
jeff at taupro.com
Sun Apr 19 05:40:06 EDT 2009
Hi, I'm working with Twisted Web/Nevow and have questions about my options for
user authentication. I've read all the docs on
portal/realm/cred and have a
simple website working using those (and guard.SessionWrapper) that prompts for
login. However I'm not sure of the correct design
approach to using that
technique for a site with mixed access controls.
>From reading the sources, it appears that the portal/realm/cred system only
checks the user identity at the -start- of an HTTP
request, prior to URL
traversal or page delivery. Once the realm has returned an appropriate avatar
representing a specific tree of pages/resources,
there appear to be no further security controls for
finer control.
I see two problems with that approach:
1) It is rather monolithic; you can't grant access to this page or that one
selectively, or perhaps add a security check into
the URL traversal steps to control access to a
hierarchy of sub-pages. Viewing the portal as the
frontdoor of a site requiring authentication, it makes it tricky to have
some non-authenticating pages for visitors to
register or have their forgotten password mailed
to them. To do those tasks, it seems necessary to create
multiple portals for a single site, one for the
sign-up/password-reminder set of pages, and another
portal for the members-only pages.
2) Alternatively, one could dynamically generate a custom tree of
pages/resources within the realm object, returning a
different tree depending upon the
identity/permissions of the user. This would seem to make it
complicated to (a) guarantee that all visitors see the exact
same URL structure and, (b) consume more
time/memory with constructing duplicate page/resource trees when thousands of
users may be visiting the site, with a mix of permissions.
I'm thinking I'll have to write something like decorators for page resources
that front-end the locateChild method (for access control over traversal),
and perhaps the renderHTTP method (for access control over page delivery) with
permissions checking logic.
Maybe I've misread the Twisted/Nevow sources and there is already a mechanism
for, it seems to me, this common use case for a
membership-type of website. Considering the
complexity of the cred system that gives us such great
flexiblity in authentication, I don't really want to have to bypass
it and write my own mechanism. Surely others have
been here before me.
Any advice is appreciated,
-Jeff
More information about the Twisted-web
mailing list