Hm, I would prefer to avoid that. In my case, the cost of creating a new Resource is high (since it needs to parse all the URLs it can dispatch to for all the REST services), therefore I would prefer to cache a single ReadOnlyResource vs AdminResource (as an example) and just serve one or the other.
I guess that doesn't fit into the typical Twisted model that well :-( Is there some sort of "post authentication" hook that I could listen to? Jacek On Mon, Mar 5, 2012 at 10:09 AM, <[email protected]> wrote: > On 02:58 pm, [email protected] wrote: > >Hi, I have an extra question going back to our original discussion on > >security. > > > >If I serve a Resource Avatar from a Realm, is there any built-in way to > >attach something to the request as it is being intercepted by the > >Realm? > > > >For example, for every request I would like to create a Principal > >object > >(username,first name,last name, list of privileges, etc.) and attach it > >to > >every request that has been authenticated. > >> From the API I see, it seems you can serve a customized Resource (and > >>that > >is fine for simpler admin vs read-only authentication schemes), but in > >some > >cases you need really fine-grained APIs > > It's actually fine for all cases, since it lets you do anything you > want. For example, make the principal an argument to your custom > Resource, save it as an attribute, and use it to make future access > control decisions. > > Jean-Paul > >(where a decorator per each REST method may be the only option), so it > >would be good for every request to be linked with the Principal that > >represents the user making the request. > > > >Thanks for any suggestions > >Jacek > > _______________________________________________ > Twisted-web mailing list > [email protected] > http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web >
_______________________________________________ Twisted-web mailing list [email protected] http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
