Can Pyramid's Built-in Authentication/Authorization Implement Complex Security Schemes?_问答_开发者

Can Pyramid's Built-in Authentication/Authorization Implement Complex Security Schemes?

开发者 https://www.devze.com 2023-03-29 02:40 出处：网络

It seems like the security model fits very small projects, but that it is probably not feasible to write all possible registered users\' hashed passwords in security.py.Do you know any examples of sca

It seems like the security model fits very small projects, but that it is probably not feasible to write all possible registered users' hashed passwords in security.py. Do you know any examples of scaling up Pyramid's authentication, or are there any benefits to calling through Pyramid's security scheme into my own database of security informat开发者_JAVA百科ion?

I dont think the size of the project is related to the security model. Either you want a simple or a complex security model. Both can be applied to projects of any size. One of Pyramid's strong points is its extensibility.

Why would you store hashed passwords in security.py? (cmiiw here, I probably misunderstood) If you read this on someone's code, that's probably just an example. In real apps, you save them in a storage/persistence system of your choice.

Again, I don't understand what you mean by "scaling up authentication". My guess is you want some working examples:

tutorial from the docs
shootout application: small and good example with forms
pyramid auth demo: complex/granular/row-level permission
pyramid apex: 3rd party auth (google, twitter, etc) with velruse, forms etc
pyramid registration: unfinished library; you can steal some ideas from it

No idea what your needs are or what you mean by "scaling up security", but pyramids authentication policy is very flexible. You need to understand though that it doesn't maintain users and passwords it merely provides a mechanism for obtaining a user identifier from the incoming request. For example, the AuthTktAuthenticationPolicy keeps track of the user id by cookie that you set using the remember method.

What meaningful information you derive from that user id is totally up to you and is application specific.

So really the question you may want to ask is can your application "scale up security".

I can't show you code because it's proprietary but I've needed to support openid, http auth and your typical db backed user store on the same application, with the extra added complication that users are stored in different database shards and the shard can't be immediately determined. It takes very little code to support this.

I ended up building something for myself that makes authentication a little easier if you happen to be using MongoDB.

https://github.com/mosesn/mongauth

It isn't built into pyramid, but hooks in easily enough. Everything is pretty transparent.