Hm, I would prefer to avoid that.
In my case, the cost of creating a new Resource is high (since it needs to
parse all the URLs it can dispatch to for all the REST services), therefore
I would prefer to cache a single ReadOnlyResource vs AdminResource (as an
example)
and just serve one or the other.
I guess that doesn't fit into the typical Twisted model that well :-(
Is there some sort of "post authentication" hook that I could listen to?
Jacek
On Mon, Mar 5, 2012 at 10:09 AM,
On 02:58 pm, jacek99@gmail.com wrote:
Hi, I have an extra question going back to our original discussion on security.
If I serve a Resource Avatar from a Realm, is there any built-in way to attach something to the request as it is being intercepted by the Realm?
For example, for every request I would like to create a Principal object (username,first name,last name, list of privileges, etc.) and attach it to every request that has been authenticated.
From the API I see, it seems you can serve a customized Resource (and that is fine for simpler admin vs read-only authentication schemes), but in some cases you need really fine-grained APIs
It's actually fine for all cases, since it lets you do anything you want. For example, make the principal an argument to your custom Resource, save it as an attribute, and use it to make future access control decisions.
Jean-Paul
(where a decorator per each REST method may be the only option), so it would be good for every request to be linked with the Principal that represents the user making the request.
Thanks for any suggestions Jacek
_______________________________________________ Twisted-web mailing list Twisted-web@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web