[Twisted-web] Sessions and Authentication for Web2
glyph at divmod.com
glyph at divmod.com
Mon Nov 28 21:20:21 MST 2005
On Mon, 28 Nov 2005 18:18:28 -0800, Kevin Turner <kevin at janrain.com> wrote:
>On Sun, 2005-11-27 at 21:31 +0000, Phil Mayers wrote:
>> it seems the "credentials" *are* the HTTP
>> request object (which in fact is true, given how the HTTP spec is worded
>> I think?).
>
>This is what I tried up doing; including the request in the Credentials.
>This works a bit, but it really isn't compatible with t.web.guard.
>Mostly because my Checker ends up doing things to the request, but Guard
>really had plans to do *other* things with that request once
>Portal.login returned, so it ends up in a bit of a wreck. Maybe it
>would work better if I used a livepage channel instead of a dumb
>request.
It would be better if some specific interface were published via wrapping the request, so that the authentication code could be clearly recognizable. I don't think it makes sense to think of the request itself as the authentication interface or the credentials, especially as any interesting HTTP-based authentication scheme (even simple challenge/response digest auth) spans multiple requests.
More information about the Twisted-web
mailing list