[Twisted-web] [Nevow] new chapter about authentication

[L. Daniel Burr]

On Thu, 03 Aug 2006 17:54:54 -0500, Valentino Volonghi aka Dialtone  
<dialtone at divmod.com> wrote:

[snip long, painful, ongoing discussion between dialtone and Manlio]

>
> What do the others think about this? Glyph, exarkun, idnar, amberite,  
> etc.?
>

I think this whole discussion is based on a misunderstanding.  Speaking
as someone who only develops web applications, twisted.cred has always
made exactly zero sense to me.  This is not to say that twisted.cred by
itself is bad; on the contrary, it is probably the only way to provide
an authentication interface that works with all the different kinds of
server/clients you can build with twisted.

If you are like me, and only spend your time building apps on top of
HTTP, then guard seems hopelessly complicated.  I know how authentication
works in the world of HTTP: There's Basic, there's Digest, and there's
"POST the login form to the server", in both plain-vanilla HTTP and also
chocolatey HTTPS flavors.  Having that model in one's head really makes
guard and cred seem like a lot of complications for no real benefit.

Until you write something other than a web application.

Then, it makes sense, and the water flows, and Spring comes on time, and
your web-app and your telnet-app and your nifty new AMP-app all frolic
together in the meadow.

To me, the bottom line is this: If all you are ever going to do is build
web applications, then you will *never* see any real point in jumping
through all of cred's hoops (portal, avatar, mind, WTF?  I just want a
freaking username/password combo, secured by SSL, like almost every other
web app on Earth!).  If, on the other hand, you start build stacks of
nifty twisted services (a chat server, web server, ftp server, etc) that
all work together, then give up your HTTP-centric view of authentication,
and accept that cred is probably as good as anyone is going to do in a
multi-protocol world, at least for now.

My two cents,

L. Daniel Burr (amberite)