No subject
Fri Oct 28 10:01:47 EDT 2011
is fine for simpler admin vs read-only authentication schemes), but in some
cases you need really fine-grained APIs
(where a decorator per each REST method may be the only option), so it
would be good for every request to be linked with the Principal that
represents the user making the request.
Thanks for any suggestions
Jacek
On Thu, Feb 23, 2012 at 4:53 PM, Glyph <glyph at twistedmatrix.com> wrote:
>
> On Feb 23, 2012, at 4:09 PM, Jacek Furmankiewicz wrote:
>
> Ah, I think I get it.
>
>
> Hooray!
>
> So Avatar = root resource that this user can access, correct?
>
>
> Yes, that is exactly correct!
>
> (More generally: root protocol-specific thing that a user can access,
> since this applies to other authenticated protocols as well, and ideally,
> eventually, all protocols within Twisted.)
>
> That is quite flexible actually. It's like you can serve a totally
> different application (i.e. resource) to the user depending on their
> credentials/roles/etc.
>
>
> Yup. And you can write wrappers in whatever way you see fit. The idea is
> that instead of inserting "self.makeSureItIsSecure()" checks in (or
> decorators on) every single method, users without the proper authentication
> can't even *access the objects* whose methods they want to call; there's
> no security error, just a 404. This means that it's much harder to make
> the mistake where you grant too much authority to anonymous users.
>
> I will wrap my head around it a bit more in the coming weeks and see how I
> can add the functionality I want (able to add fine grained security per
> REST method on a resource)
> while working in spirit with the twisted.web.guard approach.
>
>
> Great. I'm really enthusiastic to see what you come up with. Feel free
> to continue discussing ideas on this list as you're thinking through them -
> this is an area of Twisted that could stand to be talked about a lot more
> :).
>
> Thanks to everyone for your help
>
>
> Always happy to help someone through to the point of actual understanding!
>
> -glyph
>
>
> _______________________________________________
> Twisted-web mailing list
> Twisted-web at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
>
>
--f46d0401fcedc88c2e04ba802826
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hi, I have an extra question going back to our original discussion on secur=
ity.<div><br></div><div>If I serve a Resource Avatar from a Realm, is there=
any built-in way to attach something to the request as it is being interce=
pted by the Realm?</div>
<div><br></div><div>For example, for every request I would like to create a=
Principal object (username,first name,last name, list of privileges, etc.)=
and attach it to every request that has been authenticated.</div><div>
<br></div><div>From the API I see, it seems you can serve a customized Reso=
urce (and that is fine for simpler admin vs read-only authentication scheme=
s), but in some cases you need really fine-grained APIs</div><div>(where a =
decorator per each REST method may be the only option), so it would be good=
for every request to be linked with the Principal that represents the user=
making the request.</div>
<div><br></div><div>Thanks for any suggestions</div><div>Jacek<br><br><div =
class=3D"gmail_quote">On Thu, Feb 23, 2012 at 4:53 PM, Glyph <span dir=3D"l=
tr"><<a href=3D"mailto:glyph at twistedmatrix.com">glyph at twistedmatrix.com<=
/a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div style=3D"word-wrap:break-word"><br><div=
><div class=3D"im"><div>On Feb 23, 2012, at 4:09 PM, Jacek Furmankiewicz wr=
ote:</div>
<br><blockquote type=3D"cite"><span style=3D"border-collapse:separate;font-=
family:Menlo;font-style:normal;font-variant:normal;font-weight:normal;lette=
r-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px=
;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium">=
Ah, I think I get it.</span></blockquote>
<div><br></div></div><div>Hooray!</div><div class=3D"im"><br><blockquote ty=
pe=3D"cite"><span style=3D"border-collapse:separate;font-family:Menlo;font-=
style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;l=
ine-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:no=
ne;white-space:normal;word-spacing:0px;font-size:medium"><div>
So Avatar =3D root resource that this user can access, correct?</div></span=
></blockquote><div><br></div></div>Yes, that is exactly correct!</div><div>=
<br></div><div>(More generally: root protocol-specific thing that a user ca=
n access, since this applies to other authenticated protocols as well, and =
ideally, eventually, all protocols within Twisted.)</div>
<div><div class=3D"im"><br><blockquote type=3D"cite"><span style=3D"border-=
collapse:separate;font-family:Menlo;font-style:normal;font-variant:normal;f=
ont-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webk=
it-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing=
:0px;font-size:medium"><div>
That is quite flexible actually. It's like you can serve a totally diff=
erent application (i.e. resource) to the user depending on their credential=
s/roles/etc.</div></span></blockquote><div><br></div></div><div>Yup. =A0And=
you can write wrappers in whatever way you see fit. =A0The idea is that in=
stead of inserting "self.makeSureItIsSecure()" checks in (or deco=
rators on) every single method, users without the proper authentication can=
't even <i>access the objects</i>=A0whose methods they want to call; th=
ere's no security error, just a 404. =A0This means that it's much h=
arder to make the mistake where you grant too much authority to anonymous u=
sers.</div>
<div class=3D"im"><br><blockquote type=3D"cite"><span style=3D"border-colla=
pse:separate;font-family:Menlo;font-style:normal;font-variant:normal;font-w=
eight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-au=
to;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;=
font-size:medium"><div>
I will wrap my head around it a bit more in the coming weeks and see how I =
can add the functionality I want (able to add fine grained security per RES=
T method on a resource)</div><div>while working in spirit with the twisted.=
web.guard approach.</div>
</span></blockquote><div><br></div></div><div>Great. =A0I'm really enth=
usiastic to see what you come up with. =A0Feel free to continue discussing =
ideas on this list as you're thinking through them - this is an area of=
Twisted that could stand to be talked about a lot more :).</div>
<div class=3D"im"><br><blockquote type=3D"cite"><span style=3D"border-colla=
pse:separate;font-family:Menlo;font-style:normal;font-variant:normal;font-w=
eight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-au=
to;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;=
font-size:medium"><div>
Thanks to everyone for your help</div></span></blockquote></div></div><br><=
div>Always happy to help someone through to the point of actual understandi=
ng!</div><span class=3D"HOEnZb"><font color=3D"#888888"><div><br></div><div=
>
-glyph<br><br></div></font></span></div><br>_______________________________=
________________<br>
Twisted-web mailing list<br>
<a href=3D"mailto:Twisted-web at twistedmatrix.com">Twisted-web at twistedmatrix.=
com</a><br>
<a href=3D"http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web" t=
arget=3D"_blank">http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-=
web</a><br>
<br></blockquote></div><br></div>
--f46d0401fcedc88c2e04ba802826--
More information about the Twisted-web
mailing list