I am trying to understand how Twisted Web security works, based on a few
links:
http://jcalderone.livejournal.com/53074.htmlhttp://twistedmatrix.com/documents/current/web/howto/web-in-60/http-auth.ht…
They all explain how to set up a web app with let's say HTTP auth.
But there are no examples on how a Resource method (let;s say render_GET)
could get access to the current Avatar object?
And does the Avatar object need to implement some specific interface?
What I want to do in CorePost is to allow fine grained privilege-based
security *per method* (similar in style to Spring Security, for those who
know it), e.g.:
@route("/user",Http.GET)
@secured("BROWSE_USER")
def getUser(self,request,**kwargs):
return ...some user info...
@route("/user",Http.POST)
@secured("UPDATE_USER")
def updateUser(self,request,userId,**kwargs):
...create new user, etc...
If the Avatar does not have the required privileges (e.g. "BROWSE_USER" or
"UPDATE_USER" in the example above), I want to throw a 403 Access Denied
automatically.
Thanks for any pointers
Jacek
https://github.com/jacek99/corepost
>From what I understand, once a Resource isLeaf = True, it cannot have child
Resources of its own (no requests seem to get routed to them).
This is not really a realistic scenario in a typical REST application where
nested REST services are common, e.g.
Customer REST service:
*GET /services/customer*
*POST /services/customer*
*PUT /services/customer/<customerId>*
*DELETE /services/customer/<customerId>*
Customer Address REST service:
*GET /services/customer/<customerId>/address*
*POST /services/customer/<customerId>/address*
*PUT /services/customer/<customerId>/address/<addressId>*
*DELETE /services/customer/<customerId>/address/<addressId>*
and so on and so forth....
The only way I can support this in CorePost is to separate the concept of a
Twisted.Web Resource from a standalone REST service for a particular entity.
So let's say I would have a root CorePost Resource hooked up to 'services'
and it would have a child collection of REST service classes and manage
routing the requests
to the appropriate one. Each of the REST services for an entity underneath
that core Resource would NOT be a twisted.web Resource but just a regular
class.
Does this sound correct?
Or am I missing some way of using twisted.web Resource objects that would
allow me to accomplish the same thing without moving away from Resource
as the ancestor of all my REST service classes?
Thanks
Jacek
CorePost is a REST microframework built on top of the core twisted.web APIs
for a more Flask/Sinatra style experience.
Version 0.0.11 has a minor enhancement to add request/response filters.
http://pypi.python.org/pypi/CorePosthttps://github.com/jacek99/corepost (scroll down to "Filters" for samples
of the new functionality)
Cheers
Jacek
My code looks like this:
... # class Site(Resource)
def render_POST(self,request)
otherclass.doAssync(request.args)
print '1'
return "done" #that returns the HTTP response, always the same.
...
def doAssync(self,msg):
d = defer.Deferred()
reactor.callLater(0,self.doStuff,d,msg)
d.addCallback(self.sucess)
def doStuff(self,d,msg):
# do some stuff
time.sleep(2) #just for example
d.callback('ok')
def sucess(msg):
print msg
The output:
1
ok
So far, so good, but, the HTTP response (return 'done'), only happens after
the delay (time.sleep(2)). I can tell this, because the browser keeps
'loading' for 2 seconds.
What am I doing wrong?
Found some answer saying that wsgi twisted does not suport assync, and
maybe Tornado could do this. ... is that true?
Thanks anyway!
Att,
--
*João Ricardo Mattos e Silva*
Graduando em Ciência da Computação na Universidade Federal de Santa Catarina
*Cel: *+55 (48) 96190063 | *Skype:* jricardomsilva | * Msn: *
joaoricardo(a)globalite.com.br
