[Twisted-Python] Is it necessary to utilize twisted.cred in twisted web?

Phil Christensen phil at bubblehouse.org
Mon Oct 5 23:31:50 MDT 2009


crossposted to twisted-web at twistedmatrix.com, which is probably a  
better venue...

On Oct 6, 2009, at 12:08 AM, biziap biziap wrote:
> I have googled this topic and found and example in
> (A) http://www.mail-archive.com/twisted-web@twistedmatrix.com/msg01796.html
> well, another simpler example is
> (B) http://www.mail-archive.com/twisted-web@twistedmatrix.com/msg01788.html
>
> My questions are:
> 1. Does the approach in (A) be recommended? To generate resource
> dynamically seems not efficient and not necessary for simple scenario.
> Is there other way to bind twisted.cred and twisted.web together?
> (except the  deprecated twisted.web.guard)

There's a few problems with this approach. The biggest is that it  
requires username/password data to be sent on every authenticated  
request.

Another one is more of a design principle; that you shouldn't have  
account/permissions code inside resource display code. I violate this  
principle all the time ;-)

The use of dynamic resource instantiation is a common idiom in  
twisted.web coding, though. it isn't inherently inefficient, as long  
as your resource objects are fairly sane.

> 2. The approach in (B) which suggests that request.getSession() along
> is quite enough to implement an simple authentication feature. Here
> the "simple scenario" means to guard some resource with username and
> password.
> To do it: In a protected resource, just to check for a flag in the
> session, if failure, then redirect to login page. If succeeded, render
> the resource. Why shall we bother the portal, credentials,
> checker,.... ?


true, depending on your needs, this may be all that you need. from  
your description, though, it sounds like you'd be doing this  
authentication step in every resource you want to protect, which could  
become tedious (aka error-prone) in a big project.

twisted.cred can seem daunting when you're just trying to protect a  
trivial web resource or two, but for more advanced uses like more  
complicated authentication levels, it's worth the time to learn. also,  
a big part of its real value comes when you need to support a variety  
of protocols and/or authentication types.

-phil




More information about the Twisted-Python mailing list