There is no security model built into the publisher as such; applications should make assertions using the exception classes from the WebOb library, e.g.:
@app.route("/")
def controller(request):
if 'REMOTE_USER' not in request.environ:
raise webob.exc.HTTPForbidden("Server not accessible.")
return webob.Response(u"Welcome, %s!" % request.environ['REMOTE_USER'])
If we browse to http://localhost:8080/ we get:
403 Forbidden
Access was denied to this resource.
Server not accessible.