diff options
| author | Casey Duncan <casey.duncan@gmail.com> | 2011-01-15 22:20:52 -0700 |
|---|---|---|
| committer | Casey Duncan <casey.duncan@gmail.com> | 2011-01-15 22:20:52 -0700 |
| commit | 3dc9116f868c40aed42904b95b0ca703b2f73aa3 (patch) | |
| tree | 06474213d37574f8ace96431a82f507ea610c175 /docs/narr/security.rst | |
| parent | c90930a41c7ccac634d96536a4c65bce57f5fb8b (diff) | |
| download | pyramid-3dc9116f868c40aed42904b95b0ca703b2f73aa3.tar.gz pyramid-3dc9116f868c40aed42904b95b0ca703b2f73aa3.tar.bz2 pyramid-3dc9116f868c40aed42904b95b0ca703b2f73aa3.zip | |
XXX explain the authentication/authorization separate in pyramid. Confirm this is correct XXX
Diffstat (limited to 'docs/narr/security.rst')
| -rw-r--r-- | docs/narr/security.rst | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst index 6ea48794c..f20c9f63e 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -41,6 +41,15 @@ allowed. Here's how it works at a high level: - If the authorization policy denies access, the view callable is not invoked; instead the :term:`forbidden view` is invoked. +Security in :app:`Pyramid`, unlike many systems, cleanly and explicitly +separates authentication and authorization. Authentication is merely the +mechanism by which credentials provided in the :term:`request` are +resolved to one or more :term:`principal` identifiers. These identifiers +represent the users and groups in effect during the request. +Authorization then determines access based on the :term:`principal` +identifiers, the :term:`view callable` being invoked, and the +:term:`context` resource. + Authorization is enabled by modifying your application to include an :term:`authentication policy` and :term:`authorization policy`. :app:`Pyramid` comes with a variety of implementations of these |