[Twisted-web] Get access to Avatar from Resource object?
Jacek Furmankiewicz
jacek99 at gmail.com
Thu Feb 23 09:33:27 EST 2012
Well, in my Java day job we use Spring Security, which I have to say works
very well and is very flexible.
So I was trying to go with a similar approach and trying to figure out the
best way to integrate it with the current twisted.web approach for CorePost:
a) a common security filter that intercepts incoming requests. Can be
configured per URL pattern (e.g. "/services/rest","/services/operations"
requires security, but "/services/public" does not)
b) a separate config for the security filter that defines required
privileges (per sub root, e.g. "/services/rest" may require "ADMIN_USER",
but "/services/rest" may require "OPERATIONS_USER")
c) additional optional feature where every REST method can be annotated
with additional privileges (so a GET on a REST resource may need different
privileges vs a POST, PUT or DELETE, etc.)
d) every incoming request creates a Principal (which is a user overriden
type if necessary) that holds info about the current user making the REST
request (e.g. name, roles, privileges, etc.)
I tried looking through twisted.web docs to see if there is a concept of a
generic filter (that can be applied across multiple resources) but didn't
really find anything.
Hence I implemented it manually myself in CorePost 0.0.11.
I will dig further to see how the Spring Security approach (which I like
and it works very well on a huge complex SaaS platform we have) could maybe
be applied on top of the current twisted.web APIs as part of CorePost.
Any suggestions, comments or pointers would be welcome.
Cheers
Jacek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-web/attachments/20120223/b6d06d10/attachment.htm
More information about the Twisted-web
mailing list