[Twisted-Python] Authentication & Access Control system for web services

Allen Bierbaum abierbaum at gmail.com
Thu Mar 10 15:01:39 EST 2011

I have been looking into this further and decided on an API that works
as follows:

- Use HTTPS for all requests
- POST to /session to create a new session token
  - pass in username and password as parameters
  - returns token string to be used for all further communication
- All further requests must have the token string which is used to
lookup the user/session
  - on the server, the token will map to a user object to give me
information about their access rights, etc.

Now the question is how does this fit into twisted's view of the
world.  The twisted web in 60 seconds tutorials [1] seem focused on
using HTTP Auth for credential checking and a internal cookie
(TWISTED_SESSION) for session management.  Is there an easy way to
adapt these to my needs or do I need to roll my own code for this type
of twisted.web usage?


[1] http://twistedmatrix.com/documents/current/web/howto/web-in-60/index.html

On Mon, Mar 7, 2011 at 9:19 AM, Allen Bierbaum <abierbaum at gmail.com> wrote:
> I have a REST service I have implemented using twisted.web.  Based
> upon a new requirement I need to put role-based access control
> security on the service and am trying to find the most twisted way to
> do it.
> I would like to have:
> - Username / password login that is checked against a backend database
> - Roles and associated privileges associated with each user
> - Administration interface to edit users, roles, and privileges
> - "Simple" way to configure the access control requirements on the
> services. (ex: which services need which roles)
> Before I role my own code I wanted to check and see if there are any
> addons for this or if anyone else had attacked this problem with
> twisted and had some open source code I could look at.
> I have found a couple of projects for WSGI that I may try to pull
> ideas from, but I haven't yet found anything that uses the twisted
> resource model.  (http://authkit.org/,
> http://docs.repoze.org/who/2.0/)
> Any pointers to twisted projects I could leverage?
> -Allen

More information about the Twisted-Python mailing list