diff options
| author | Karl O. Pinc <kop@meme.com> | 2014-08-12 23:42:20 -0500 |
|---|---|---|
| committer | Karl O. Pinc <kop@meme.com> | 2014-08-12 23:53:33 -0500 |
| commit | 03e95958a9c2b9042e55bc55e4cdb193649857ef (patch) | |
| tree | 4e1641f1eca35be8a675709b8e05132ebd671db3 /docs/narr/security.rst | |
| parent | 6bedf31e5275c2f2a33051a547aa1dc722aafa97 (diff) | |
| download | pyramid-03e95958a9c2b9042e55bc55e4cdb193649857ef.tar.gz pyramid-03e95958a9c2b9042e55bc55e4cdb193649857ef.tar.bz2 pyramid-03e95958a9c2b9042e55bc55e4cdb193649857ef.zip | |
Docs: Switched first 2 paragraphs of security overview.
Diffstat (limited to 'docs/narr/security.rst')
| -rw-r--r-- | docs/narr/security.rst | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst index e6bbff44e..203962751 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -6,8 +6,18 @@ Security ======== -:app:`Pyramid` provides an optional declarative authorization system -that can prevent a :term:`view` from being invoked based on an +:app:`Pyramid` provides an optional, declarative, security system. +Security in :app:`Pyramid`, unlike many systems, cleanly and explicitly +separates authentication and authorization. Authentication is merely the +mechanism by which credentials provided in the :term:`request` are +resolved to one or more :term:`principal` identifiers. These identifiers +represent the users and groups in effect during the request. +Authorization then determines access based on the :term:`principal` +identifiers, the :term:`view callable` being invoked, and the +:term:`context` resource. + +The :app:`Pyramid` authorization system +can prevent a :term:`view` from being invoked based on an :term:`authorization policy`. Before a view is invoked, the authorization system can use the credentials in the :term:`request` along with the :term:`context` resource to determine if access will be @@ -54,14 +64,6 @@ allowed. Here's how it works at a high level: - If the authorization policy denies access, the view callable is not invoked; instead the :term:`forbidden view` is invoked. -Security in :app:`Pyramid`, unlike many systems, cleanly and explicitly -separates authentication and authorization. Authentication is merely the -mechanism by which credentials provided in the :term:`request` are -resolved to one or more :term:`principal` identifiers. These identifiers -represent the users and groups in effect during the request. -Authorization then determines access based on the :term:`principal` -identifiers, the :term:`view callable` being invoked, and the -:term:`context` resource. Authorization is enabled by modifying your application to include an :term:`authentication policy` and :term:`authorization policy`. |