Introduction
Quixote is a framework for developing Web applications in Python. Quixote is based on a simple, flexible design, making it possible to write applications quickly and to benefit from the wide range of available third-party Python modules. Deployed appropriately, Quixote has excellent performance that allows you to put Quixote-based applications into large-scale production use.
Architecture
A Quixote application is typically a Python package, a collection of modules grouped into a single directory tree. Quixote then maps a URL to a method of a Python object; the method is then called with the contents of the HTTP request, and the results are returned to the client.
Quixote can be connected to the Web in several ways:
- Using an HTTP server written in Python code. This provides ease
of configuration and is quite suitable for intranet or small-scale
Internet deployments.
![[Diagram of Python HTTP server]](/images/PythonHTTP.png)
- Using SCGI as implemented
by the Apache module mod_scgi or by lighttpd. Quixote-based
applications run as a daemon process, and the web server sends HTTP
requests to the daemon as they're received. The SCGI daemon can be
started and stopped independently of web server, making it easy to
upgrade application code without affecting other operations on the
Web site. We believe this is the architecture with the highest
performance. (FastCGI employs a similar architecture, but the
FastCGI protocol's greater complexity makes it less reliable.)
![[Diagram of SCGI server]](/images/SCGI.png)
- Through regular CGI. This is not recommended because it's the
architecture with the worst performance, creating a new process on
every HTTP request. SCGI isn't much more difficult to configure and
it's much faster than regular CGI, making SCGI a far better choice.
![[Diagram of CGI-based server]](/images/CGI.png)
HTML Templating
Quixote provides its own solution for HTML generation called Python Template Language (PTL). (Using PTL in Quixote applications is optional.)
PTL applies Python's syntax to generating HTML. In a PTL template, expression results and literal strings are automatically assembled into a function's output. Here is an example PTL function:
def format_row [html] (head, value):
"<tr valign=top align=left>\n"
" <th align=left>%s</th>\n" % head
" <td>%s</td>\n" % value
"</tr>\n"
The function is marked as being written in PTL by the
[html] annotation in the function's definition. This
function can be written and saved in a file whose name ends in
".ptl". Such ".ptl" files can then be imported using Python's
import statement, and the template can be invoked just
like a regular Python function. For example, you might code:
import util_templates
def output [html] (request):
...
"<table>"
for heading, value in data:
util_templates.format_row(heading, value)
"</table>"
PTL's HTML templating can automatically escape special characters such as '<' and '&' in strings originating from the client browser or from a database. Proper use of this feature can avoid a class of security vulnerability called "cross-site scripting attacks". In a cross-site scripting attack, a hostile user can insert arbitrary HTML in a web application's output that can link to other sites or contain harmful JavaScript code.
Alternative templating syntaxes can also be used. Several different syntaxes have been implemented as Python packages; because Quixote makes it easy to use third-party Python packages, you can support any templating syntax you wish.
Quixote's Advantages
Simplicity
Quixote is not a large framework that tries to subsume every conceivable Web development task, instead striving for flexibility. Quixote handles the details of interfacing with the web server such as parsing form request variables and processing uploaded files, and provides mechanism through which new features such as session tracking can be implemented.
This makes Quixote easy to learn for experienced Python programmers because their existing skills, acquired by writing Python programs and scripts, can also be applied to writing Web applications with Quixote. Novice programmers can also learn Quixote and once learned, their new-found skills can be applied to other Python programming tasks.
(A series of Quixote tutorials can be found at http://www.quixote.ca/learn/.)
By staying within the main stream of Python design practice, Quixote makes it easy to use third-party modules in Quixote-based applications. External packages such as the Reportlab Toolkit (PDF file generation), ZODB (an object database), or mxODBC (access to relational databases) can be used from Quixote without difficulty.
Existing Python tools such as the Distribution Utilities can be used to package and install Quixote-based applications. We hope that Quixote users will begin to release their own add-ons and applications built on top of Quixote, leading to the formation of a user community.
Performance
Quixote imposes very low overhead on each HTTP transaction, meaning that performance can be quite good even on inexpensive hardware. For example, one benchmark found that Quixote and SCGI can achieve 75 requests/second on a lowly Pentium 200! On a more current machine with an Athlon XP 1700+ processor, this combination has been measured at 425 requests/second.
Security
Quixote is relatively small, consisting of almost 7,000 lines of Python code. Only 2,500 lines of this contains the core publishing code; that's relatively small, making it possible to carefully read through the code and audit it for security vulnerabilities.
The automatic HTML quoting feature in PTL, if used diligently, can avoid a class of security vulnerability called "cross-site scripting attacks". In a cross-site scripting attack, a hostile user can insert arbitrary HTML in a web application's output that can link to other sites or contain harmful JavaScript code. Quixote can provide automatic protection from bugs that expose a Web-based application to such attacks.
Quixote also requires the developer to explicitly specify which Python functions can be accessed from the web browser. This makes it unlikely that private functions will be accidentally made available.
Freedom
Quixote is free software, available under a license identical to that used by Python itself. There's no cost to acquire the Quixote code, and no fees are required to write or run Quixote applications. You can also modify the Quixote code and redistribute your modified version.
Quixote Availability
Quixote runs on several Unix variants (Linux, FreeBSD, Apple MacOS X) and on Microsoft Windows.
A partial list of the HTTP servers supported by Quixote includes Apache (optionally using SCGI, mod_fastcgi, or CGI), Microsoft IIS, AOLServer, Medusa, and Twisted Python.
Resources for Learning More
The main site for Quixote is http://www.quixote.ca.
Quixote is written in the Python programming language. More information on Python is available at http://www.python.org.
Legal
AOLserver is a trademark of America Online.
Apache is a trademark of The Apache Software Foundation, and is used with permission.
The Reportlab Toolkit is a trademark of ReportLab.
mxODBC is a trademark of eGenix.com.
Apple and Mac OS are trademarks of Apple Computer, Inc., registered in the U.S. and other countries.
Microsoft Windows and Internet Information Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.