My company's web architecture has essentially got an extra layer due to client security requirements, which complicates the process of developing applications a bit. I'd like to get some input and suggestions on the best way to do so.
First, an overview:
- presentation layer - this is mostly PHP, with some flex applications as well. We may be adding HTML5/Javascript(jQuery) to this soon. This tier cannot see our database layer, and is the only layer that is visible to the outside world.
- app layer - this is currently mostly PHP. It has access to the database
- db layer - this is reachable only from non-DMZ hosts.
Right now, Flex applications and client-side javascript that need to make calls to the app layer -- which is a fair number of them -- make it through a PHP proxy running on the presentation layer, which passes the request in to the app layer. These are usually AMF service requests, but we could proxy RESTful requests as well with minimal effort.
I have an opportunity to replace a lot of this stack right now, provided I can retain the basic security characteristics. What I want is to be able to write JavaScript or Flex apps that make RESTful calls to services visible in the presentation layer that will transparently (or transparently enough!) proxy into the app tier, where the actual work is done.
The thing is, every tutorial I see on (for example) Django or other pythonic web / REST frameworks seems to assume that the services provided by my presentation and application layers here are provided by one layer only. I need advice on how to write, essentially, web services using Python. The app layer must authenticate the client and maintain client sessions. The web layer proxy does not do that because it has no database access. This sort of thing is what pointed me at Django, with its cached session tracking, for example. But, truthfully, I'm open to anything that gets me away from writing PHP4 for this.