On Monday, 2 June 2014 04:25:13 UTC-7, Gerhard Schmidt wrote: > > Authorization policy gets the principals returned by the group finder > which may include the original principal but may not. So i would have to > re implement the group finder within the authorization policy. Sounds > redundant to me. The group finder would effectively called with it's > results repeatedly. Which might get quite a performance break if the > first iteration return quite a view principals. > > Making the authentication policy context aware doesn't have this > redundancy and therefor a much lesser performance impact. (None if the > context is not used)
I think you should avoid redundancy by moving your logic from the groupfinder into an authorization policy ;) There's a nice explanation of the distinction between authentication and authorization in the Apache docs: http://httpd.apache.org/docs/2.4/howto/auth.html Authentication is any process by which you verify that someone is who they > claim they are. Authorization is any process by which someone is allowed to > be where they want to go, or to have information that they want to have. Contextual decisions are the responsibility of the authorization policy. Working with this distinction opens up some useful possibilities: * If you are doing permission filtering you can avoid the contextless overhead of userid extraction and global group lookup by caching the result of effective_principals on the request object using a simple wrapping authentication policy. This will make subsequent calls to request.has_permission less costly. * By storing the result of ``principals_allowed_by_permission`` along with the response when caching or indexing content you can cheaply validate access by simply intersecting a user's effective_principals with the stored principals_allowed_by_<permission> or filter search results. In my site I add this to the elasticsearch query, though the principle extends to other databases too. Laurence -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
