[Zope-dev] Re: [Zope-Coders] Unauthorized results in 401, shouldn't it result in 403?

Zachery Bir zbir at urbanape.com
Wed Apr 20 13:01:22 EDT 2005


On 2005-04-20 11:20:26 -0400, Chris Withers 
<chris at simplistix.co.uk> said:

> Sidnei da Silva wrote:
>> | 3. How does PAS handle failover from one authentication plugin to the next?
>> 
>> /me leaves slot for PAS experts to fill

Each attempt at authenticating a particular set of credentials gets a 
crack, and either stands up for the creds, or returns None.

>> CookieCrumbler it's this variable is set from the cookie value) and
>> that may result in a valid user or 'Anonymous User'.
> 
> Yeah, but how does CookieCrumbler stop a basic auth box being popped to 
> the user when things aren't authorized?

By intercepting the RESPONSE's unauthorized() method. It's pretty 
plainly there in the code. FWIW, this is how PAS insinuates itself into 
the process as well, but to allow for any of the challenge plugins to 
fire this way.

>> | PS: I suspect the answer to 4 varies depending on the type of auth :-(
>> 
>> I don't think so.
> 
> CookieCrumbler vs Everything Else: I think it does...

Well, not in PAS ;^)

Zac




More information about the Zope-Dev mailing list