Hm, I would prefer to avoid that.

In my case, the cost of creating a new Resource is high (since it needs to parse all the URLs it can dispatch to for all the REST services), therefore I would prefer to cache a single ReadOnlyResource vs AdminResource (as an example)
and just serve one or the other.

I guess that doesn't fit into the typical Twisted model that well :-(
Is there some sort of "post authentication" hook that I could listen to?

Jacek

On Mon, Mar 5, 2012 at 10:09 AM, <exarkun@twistedmatrix.com> wrote:
On 02:58 pm, jacek99@gmail.com wrote:
>Hi, I have an extra question going back to our original discussion on
>security.
>
>If I serve a Resource Avatar from a Realm, is there any built-in way to
>attach something to the request as it is being intercepted by the
>Realm?
>
>For example, for every request I would like to create a Principal
>object
>(username,first name,last name, list of privileges, etc.) and attach it
>to
>every request that has been authenticated.
>> From the API I see, it seems you can serve a customized Resource (and
>>that
>is fine for simpler admin vs read-only authentication schemes), but in
>some
>cases you need really fine-grained APIs

It's actually fine for all cases, since it lets you do anything you
want.  For example, make the principal an argument to your custom
Resource, save it as an attribute, and use it to make future access
control decisions.

Jean-Paul
>(where a decorator per each REST method may be the only option), so it
>would be good for every request to be linked with the Principal that
>represents the user making the request.
>
>Thanks for any suggestions
>Jacek

_______________________________________________
Twisted-web mailing list
Twisted-web@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web