[Twisted-web] Finer-Grained Security System for Twisted Web/Nevow?

Sun Apr 19 05:40:06 EDT 2009

Hi, I'm working with Twisted Web/Nevow and have questions about my options for
                         user authentication.  I've read all the docs on
portal/realm/cred and have a
simple website working using those (and guard.SessionWrapper) that prompts for
                         login.  However I'm not sure of the correct design
approach to using that
technique for a site with mixed access controls.

>From reading the sources, it appears that the portal/realm/cred system only
                          checks the user identity at the -start- of an HTTP
request, prior to URL
traversal or page delivery.  Once the realm has returned an appropriate avatar
                         representing a specific tree of pages/resources,
there appear to be no further                          security controls for
finer control.

I see two problems with that approach:

1) It is rather monolithic; you can't grant access to this page or that one
                          selectively, or perhaps add a security check into
the URL traversal steps to                            control access to a
hierarchy of sub-pages.  Viewing the portal as the
      frontdoor of a site requiring authentication, it makes it tricky to have
some                           non-authenticating pages for visitors to
register or have their forgotten                               password mailed
to them.  To do those tasks, it seems necessary to create
          multiple portals for a single site, one for the
sign-up/password-reminder set                           of pages, and another
portal for the members-only pages.

2) Alternatively, one could dynamically generate a custom tree of
                        pages/resources within the realm object, returning a
different tree depending                           upon the
identity/permissions of the user.  This would seem to make it
                 complicated to (a) guarantee that all visitors see the exact
same URL                                   structure and, (b) consume more
time/memory with constructing duplicate page/resource trees when thousands of
users may be visiting the site, with a mix of permissions.

I'm thinking I'll have to write something like decorators for page resources
that front-end the locateChild method (for access control over traversal),

and perhaps the renderHTTP method (for access control over page delivery) with
                         permissions checking logic.

Maybe I've misread the Twisted/Nevow sources and there is already a mechanism
                          for, it seems to me, this common use case for a
membership-type of website.                             Considering the
complexity of the cred system that gives us such great
          flexiblity in authentication, I don't really want to have to bypass
it and                             write my own mechanism.  Surely others have
been here before me.

Any advice is appreciated,

-Jeff