Web Site Security With repoze.who and repoze.what

This article first appeared in the May 2009 issue of Python Magazine and has been slightly updated. The contents of the article are only applicable to repoze.who 1.0 and repoze.what 1.0, not repoze.who 2 and repoze.what 1.1 which are under development as of this writing.

Have you ever created a Web application? If so, it’s very likely that you have at one time or another faced “the security problem”; whether to create and maintain a homegrown security sub-system, or to learn to use framework-specific security mechanisms (which may not be as flexible as you wish).

Securing Web applications shouldn’t be a problem. This article explores a highly extensible alternative which you can learn once and use in arbitrary applications, regardless of the Web framework used (if any!).
Continue reading

“WSGI from Start to Finish” at EuroPython 2010

If you’re a Web Application Developer using Python, you may be very interested in the tutorial I am presenting at EuroPython 2010: “WSGI from Start to Finish: How to use the power of WSGI to solve problems your framework cannot solve”.

Your favorite Web framework is not able to meet all your needs, all the time; some problems cannot even be solved at the framework level. In such situations, the Python Web Server Gateway Interface may save you a lot of time and trouble, giving you the opportunity to implement an elegant solution or integrate existing framework-independent third party solutions.

And chances are, a better WSGI-based alternative exists for something your framework is apparently good at. WSGI is a very powerful technology, and the kind of things you can do with it may surprise you.

It doesn’t matter if you know little about WSGI or nothing at all, because when I say “from start to finish” I really mean it. In this half-day tutorial, I’ll try to cover both simple and complex real-world situations solved with WSGI. The tutorial is relevant for Django/Pylons/TurboGears/etc users, and for those who don’t use a Web framework at all!

Getting back on track

Yes, I’m alive.

Since the second half of last summer I’ve been inactive in the Free Software arena. No commits, no emails from me in the last few months which may indicate that the projects are dead. So I wanted to write to let you know that I have no plans to stop maintaining any of my projects. I will start to catch up with all the things I’ve missed in the projects I normally contribute to and the projects I develop alone.

The reason why you’d heard nothing from me is that I left Spain to move to Oxford, in order to work at the cool company behind 2degreesnetwork.com. The removal was the most time-consuming and stressful thing I’d ever done, but after one month working here, I’m happy to say that it was worth it. The atmosphere is just like I thought Web 2.0 companies were, and I am surrounded by nice and talented people. I can’t be happier.

Well, back to the projects, I had to wait a lot to get access to the Internet at home, but I got it a couple of weeks ago and have been catching up (slowly) with the pending stuff. I still have a huge stack of unanswered emails, for example.

For the last couple of weeks I was working fulltime on repoze.what 1.1 and repoze.what-django. I hope to finish the documentation and get the first alpha releases out very soon; the code itself is pretty much ready and, as usual, fully tested. I didn’t have plans to do a repoze.what 1.1 release anytime soon, but while developing repoze.what-django I found myself implementing something which would be useful outside Django (i.e., ACLs) and thus I decided to move it to repoze.what.

After that, I want to improve the auth documentation in TurboGears 2. repoze.what-pylons is the crucial part of the repoze.what integration in TG2 and it’s fully documented, but duplicating part of those docs won’t do any harm and adding some tips and tricks would be nice. I started doing that some months ago but never committed it; I have to finish it this time.

Then I’d like to make repoze.what-pylons take advantage of the new features in repoze.what 1.1, like repoze.what-django already does.

That’s it for the foreseeable future. Next year I really want to get serious with Booleano and PyACL.

Auth: What you may expect from TurboGears 2

Those still using TurboGears 1 will find a big improvement in the authentication and authorizarion area when they upgrade to version 2: TurboGears 2 ships with an easy-to-use, pluggable, extendable and well-documented authentication and authorization system, powered by repoze.who and tgext.authorization (whose documentation will be available along with TurboGears’ very soon).

Some of the features include:

  1. You may store your users’ credentials where you want – in a database, an LDAP server, an .htacess file, etc.
  2. You’ll be able to store your groups and permissions where you like too, but also use as much as group and permission sources as you need. What if your application’s main database already stores your groups and permissions data, but the company’s IT department needs to reuse their Htgroups file in the application? That would be a piece of cake.
  3. You’ll be able to manage your authorization settings with an API independent of the used source(s) (databases, Ini files, etc). Yes, add/edit/delete groups and/or permissions.
  4. You’ll be able to grant permissions to anonymous users (hopefully available this week).
  5. Do the above and more without writing too much code.

Right now there’s only the SQL plugin, so in the mean time you may still only store your groups and permissions in a SQLAlchemy or Elixir managed database, but very soon we’ll have the Ini plugin (to store groups and permissions in *.ini files) and even more.

In the future you’ll also be able to get OpenId authentication with a couple of lines of code (there’s a work in progress) and possibly OAuth authorization too.

And you may give it a try now! You can either try the latest code from the trunk or wait for the first TG2 beta which will hopefully be released in a couple of days.

Joining the development of TurboGears

I’ve had the great pleasure of being invited by the TurboGears team to become an official committer for the great TurboGears framework.

This is because I’ve been contributing patches for TurboGears 2 and other packages used by Animador (a TurboGears 2 application), since I started its development, in order to fix bugs and/or add new features that I want in Animador. So now I can apply my changes by myself! 😉

And stay tunned, because very soon it’s going to be very easy to add OpenId support to any WSGI application by means of a plugin for the framework-independent repoze.who package!