Sunday, May 1, 2011

Handling Authorization in web frameworks

I want to write a simple web framework myself using WSGI, Python. I am in study to understand the authorization system.

The system needs to be more modular and abstract enough to add new system into the project as a plug-in. User may use DB or distributed key/value pair, bigtable, etc to store their information.

Lets say, these sort of stuffs are containers or providers which can be written as plug-ins into the system.

I want to define very higher level IDENTITY to the user who logged in. "Identity" is the right word, used by the many frameworks. But it is really tough to define "Identity" as an object due to its complex nature. It may contain anything, that is specific to application. But, when we writing the application, the application shall take care, what is in the identity. But as a framework, it doesn't care about what is identity.

Authentication shall be separated from authorization.

Users, Group, Role/Permissions can be designed as a plug-ins. The idea behind this concept is, write a good framework (atleast for me for research) with enough space for plug-ins and allow the application developers write the portable code which suites the application.

Is it possible to work with 'identity' object at entire framework?

From stackoverflow
  • "Is it possible to work with 'identity' object at entire framework?"

    "But it is really tough to define "Identity" as an object due to its complex nature. "

    Until you define identity, yes, it's difficult to work with.

    Identity has to be positively specified. Leaving it so vague that "It may contain anything, that is specific to application" means you can't ever get started writing anything useful because you're too worried that "someday someone might invent a concept of identity that you can't handle".

    Stop worrying. Identity is well defined and is not complex. HTTP and other protocols define "authorization" (really authentication) with usernames, passwords and realms. And that's all you really need.

    Do what Django does: allow someone to add a "Profile" with additional facts about the person. The Profile is not central to identify and authentication. It's not central to authorization. But anyone can add "Profile" stuff for their specific application.

    Do not write one model that does everything.

    Write one model that works and someone can add to.

0 comments:

Post a Comment