让我解释一下这个问题:
我通过Pyramid服务我的静态资产:
config.add_static_view(name='static', path='/var/www/static')
它运作正常。
现在,我有一个自定义会话工厂,可以在数据库中创建会话。它检查浏览器是否提供会话cookie。如果是,它会从数据库中找到一个会话。如果没有,则在DB中创建一个新会话,并将cookie返回给浏览器。
到目前为止一切顺利。
现在,在我的home_view(生成我的主页)中,我没有以任何方式访问请求变量:
@view_config(route_name='home', renderer="package:templates/home.mak")
def home_view(request):
return {}
因此,当用户访问主页时,会发生的事情不会在服务器上创建。我认为这是因为Pyramid只会在您访问request.session时创建会话懒惰。因此,主页请求的响应头不包含会话的任何Set-Cookie标头。
现在在主页的mako模板中,我正在为JavaScript和CSS文件生成静态URL ...
<link rel="stylesheet" href="${request.static_url(...)}"
<script src="${request.static_url(...)}"></script>
现在,由于我从Pyramid提供静态资产,所有对这些资产的请求都会通过整个金字塔机制。
所以,当我的浏览器发送获取静态资产的请求时,会发生什么,Pyramid会创建会话。也就是说,Pyramid在数据库中创建会话,并在浏览器发送静态资产请求时发回会话cookie。这是问题#1。
浏览器会以并行的形式发送静态资产的所有请求。我使用的是最新版本的Firefox和Chrome。由于实际HTML文档的HTTP请求未返回任何Set-Cookie标头,因此对静态资产的请求没有任何cookie标头。这意味着Pyramid没有看到任何请求的会话cookie,并且它在数据库中创建了一个新的会话,用于获取静态资产的每个请求。
如果我在主页上获取7个静态资源,则会创建7个会话条目。这是因为所有这些请求都与服务器并行,并且没有会话cookie,因此Pyramid会为每个请求创建一个会话。
如果我故意作为主页请求的一部分访问会话,则不会出现此问题。它在数据库中创建一个会话,并向浏览器发送一个cookie,然后浏览器会为它从服务器请求的每个静态资产发回(并行)。
@view_config(route_name='home', renderer="package:templates/home.mak")
def home_view(request):
if request.session: pass
return {}
如何阻止在静态资产请求上创建会话。更好的是,我希望Pyramid在收到静态资产请求时甚至不会触及会话工厂 - 这可能吗?
其次,我不明白为什么Pyramid会在静态请求上创建一个新会话?
的更新 的
这是会议工厂。
def DBSessionFactory(
secret,
cookie_name="sess",
cookie_max_age=None,
cookie_path='/',
cookie_domain=None,
cookie_secure=False,
cookie_httponly=False,
cookie_on_exception=True
):
# this is the collable that will be called on every request
# and will be passed the request
def factory(request):
cookieval = request.cookies.get(cookie_name)
session_id = None
session = None
# try getting a possible session id from the cookie
if cookieval is not None:
try:
session_id = signed_deserialize(cookieval, secret)
except ValueError:
pass
# if we found a session id from the cookie
# we try loading the session
if session_id is not None:
# _load_session will return an object that implements
# the partial dict interface (not complete, just the basics)
session = _load_session(session_id)
# if no session id from cookie or no session found
# for the id in the database, create new
if session_id is None or session is None:
session = _create_session()
def set_cookie(response):
exc = getattr(request, 'exception', None)
if exc is not None and cookie_on_exception == False:
return
cookieval = signed_serialize(session.session_id, secret)
response.set_cookie(
cookie_name,
value=cookieval,
max_age = cookie_max_age,
path = cookie_path,
domain = cookie_domain,
secure = cookie_secure,
httponly = cookie_httponly,
)
def delete_cookie(response):
response.delete_cookie(
cookie_name,
path = cookie_path,
domain = cookie_domain,
)
def callback(request, response):
if session.destroyed:
_purge_session(session)
delete_cookie(response)
return
if session.new:
set_cookie(response)
# this updates any changes to the session
_update_session(session)
# at the end of request
request.add_response_callback(callback)
# return the session from a call to the factory
return session
# return from session factory
return factory
然后,
factory = DBSessionFactory('secret')
config.set_session_factory(factory)
的更新 的
我的自定义身份验证:
class RootFactory:
__acl__ = [
(Allow, Authenticated, 'edit'),
# only allow non authenticated users to login
(Deny, Authenticated, 'login'),
(Allow, Everyone, 'login'),
]
def __init__(self, request):
self.request = request
class SessionAuthenticationPolicy(CallbackAuthenticationPolicy):
def __init__(self, callback=None, debug=False):
self.callback = callback
self.debug = debug
def remember(self, request, principal, **kw):
return []
def forget(self, request):
return []
def unauthenticated_userid(self, request):
if request.session.loggedin:
return request.session.userid
else:
return None
然后,
config.set_root_factory(RootFactory)
config.set_authentication_policy(SessionAuthenticationPolicy())
config.set_authorization_policy(ACLAuthorizationPolicy())
答案 0 :(得分:2)
我无法在虚拟项目中重现此行为,这使我相信您有一些配置会影响此处未显示的内容。显然,如果调用任何身份验证,将根据您的身份验证策略创建会话。静态资产(默认情况下)在NO_PERMISSION_REQUIRED注册,这意味着它们不会调用Pyramid中的任何身份验证API(我已经验证过这种情况)。
对静态资产的请求会调用整个请求管道,这意味着如果您在任何订阅者中有任何代码,或者您的根工厂调用has_permission或其他安全API,或者直接触摸会话,那么可以解释您的会话与您的身份验证相关联后所看到的行为。
答案 1 :(得分:2)
这是一个重现问题的虚拟项目:
设置virtualenv环境并在其中安装Pyramid。
安装启动项目:pcreate -s starter IssueApp
删除所有不必要的文件,以便拥有这个简单的树:
树
.
├── CHANGES.txt
├── development.ini
├── issueapp
│ ├── __init__.py
│ └── static
│ └── pyramid.png
├── README.txt
└── setup.py
请注意,我们会在__init__.py文件中编写整个应用程序 - 所以其他所有内容都会被删除。
现在安装项目:(env) $ python setup.py develop这会将您的项目安装到虚拟环境中。
development.ini文件:
[app:main]
use = egg:IssueApp#main
pyramid.reload_all = true
pyramid.reload_templates = true
pyramid.debug_all = true
pyramid.debug_notfound = true
pyramid.debug_routematch = true
pyramid.prevent_http_cache = true
pyramid.default_locale_name = en
[server:main]
use = egg:waitress#main
host = 0.0.0.0
port = 7777
[loggers]
keys = root, issueapp
[handlers]
keys = console
[formatters]
keys = generic
[logger_root]
level = INFO
handlers = console
[logger_issueapp]
level = INFO
handlers =
qualname = issueapp
[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic
[formatter_generic]
format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s
__init__.py文件:
from pyramid.config import Configurator
from pyramid.view import view_config
from pyramid.response import Response
from pyramid.authentication import CallbackAuthenticationPolicy
from pyramid.authorization import ACLAuthorizationPolicy
from pyramid.security import (
Allow, Deny,
Everyone, Authenticated,
)
def main(global_config, **settings):
""" This function returns a Pyramid WSGI application.
"""
config = Configurator(settings=settings)
#config.add_static_view('static', 'static', cache_max_age=3600)
config.add_static_view(name='static', path='issueapp:static')
config.add_route('home', '/')
config.set_root_factory(RootFactory)
config.set_authentication_policy(DummyAuthPolicy())
config.set_authorization_policy(ACLAuthorizationPolicy())
config.scan()
return config.make_wsgi_app()
@view_config(route_name='home')
def home_view(request):
src = request.static_url('issueapp:static/pyramid.png')
return Response('<img src='+ src + '>')
class RootFactory:
__acl__ = [
(Allow, Authenticated, 'edit'),
(Deny, Authenticated, 'login'),
(Allow, Everyone, 'login'),
]
def __init__(self, request):
self.request = request
class DummyAuthPolicy(CallbackAuthenticationPolicy):
def __init__(self, callback=None, debug=False):
self.callback = callback
self.debug = debug
def remember(self, request, principal, **kw):
return []
def forget(self, request):
return []
def unauthenticated_userid(self, request):
# this will print the request url
# so we can know which request is causing auth code to be called
print('[auth]: ' + request.url)
# this means the user is authenticated
return "user"
现在运行应用
pserve development.ini --reload
Starting subprocess with file monitor
Starting server in PID 2303.
serving on http://0.0.0.0:7777
最后,清除浏览器中的所有历史记录(这很重要,否则问题可能无法显示)并访问该页面。这会打印在控制台上:
[auth]: http://192.168.56.102:7777/static/pyramid.png
这表明正在为静态请求调用auth代码。
现在,当我将日志级别设置为DEBUG时,这是访问该页面时控制台的输出:
pserve development.ini --reload
Starting subprocess with file monitor
Starting server in PID 2339.
serving on http://0.0.0.0:7777
2013-03-27 03:40:55,539 DEBUG [issueapp][Dummy-2] route matched for url http://192.168.56.102:7777/; route_name: 'home', path_info: '/', pattern: '/', matchdict: {}, predicates: ''
2013-03-27 03:40:55,540 DEBUG [issueapp][Dummy-2] debug_authorization of url http://192.168.56.102:7777/ (view name '' against context ): Allowed (no permission registered)
2013-03-27 03:40:55,685 DEBUG [issueapp][Dummy-3] route matched for url http://192.168.56.102:7777/static/pyramid.png; route_name: '__static/', path_info: '/static/pyramid.png', pattern: 'static/*subpath', matchdict: {'subpath': ('pyramid.png',)}, predicates: ''
[auth]: http://192.168.56.102:7777/static/pyramid.png
2013-03-27 03:40:55,687 DEBUG [issueapp][Dummy-3] debug_authorization of url http://192.168.56.102:7777/static/pyramid.png (view name '' against context ): ACLDenied permission '__no_permission_required__' via ACE '' in ACL [('Allow', 'system.Authenticated', 'edit'), ('Deny', 'system.Authenticated', 'login'), ('Allow', 'system.Everyone', 'login')] on context for principals ['system.Everyone', 'system.Authenticated', 'user']
请注意,[auth]: ...消息仅打印一次 - 用于静态资产请求,而不是用于主页请求。这很奇怪,因为这意味着可以为静态资产查询auth策略,但不能查询正常请求。 (当然,除非涉及许可,否则我认为不是。)