[Twisted-web] Get access to Avatar from Resource object?
jacek99 at gmail.com
Thu Feb 23 09:33:27 EST 2012
Well, in my Java day job we use Spring Security, which I have to say works
very well and is very flexible.
So I was trying to go with a similar approach and trying to figure out the
best way to integrate it with the current twisted.web approach for CorePost:
a) a common security filter that intercepts incoming requests. Can be
configured per URL pattern (e.g. "/services/rest","/services/operations"
requires security, but "/services/public" does not)
b) a separate config for the security filter that defines required
privileges (per sub root, e.g. "/services/rest" may require "ADMIN_USER",
but "/services/rest" may require "OPERATIONS_USER")
c) additional optional feature where every REST method can be annotated
with additional privileges (so a GET on a REST resource may need different
privileges vs a POST, PUT or DELETE, etc.)
d) every incoming request creates a Principal (which is a user overriden
type if necessary) that holds info about the current user making the REST
request (e.g. name, roles, privileges, etc.)
I tried looking through twisted.web docs to see if there is a concept of a
generic filter (that can be applied across multiple resources) but didn't
really find anything.
Hence I implemented it manually myself in CorePost 0.0.11.
I will dig further to see how the Spring Security approach (which I like
and it works very well on a huge complex SaaS platform we have) could maybe
be applied on top of the current twisted.web APIs as part of CorePost.
Any suggestions, comments or pointers would be welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Twisted-web