[Zope-PAS] Re: New IChallengePlugin interface

Jim Fulton jim at zope.com
Mon Oct 4 12:06:14 EDT 2004

Zachery Bir wrote:
> Since we don't specify attribute interfaces in Zope 2, I've left it in 
> the docs of IChallengePlugin.
> class IChallengePlugin( Interface ):
>    """ Initiate a challenge to the user to provide credentials.
>        Challenge plugins have an attribute 'protocol' representing
>        the protocol the plugin operates under. Plugins operating
>        under the same protocol will all be given an attempt to
>        fire. The first plugin of a protocol group that successfully
>        fires establishes the protocol of the overall challenge. By
>        default, the protocol should be the id of the plugin, which
>        means if it fires, it fires alone.
>    """
>    def challenge( request, response ):
>        """ Assert via the response that credentials will be gathered.
>        Takes a REQUEST object and a RESPONSE object, and returns
>        either self.protocol if it fires, or None.
>        Two common ways to initiate a challenge:
>          - Add a 'WWW-Authenticate' header to the response object.
>            NOTE: add, since the HTTP spec specifically allows for
>            more than one challenge in a given response.
>          - Cause the response object to redirect to another URL (a
>            login form page, for instance)
>        """

I think this is still not right.

The plugin retuns a boolean.  It's the PAS's job to figure out
the protocol, based on the protocol of the first plugin to fire.

Also, I think that a challenger that doesn't interoperate with
anything else should have None as it's protocol.  Then the PAS
can do the book keeping any way it wants.


Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope-PAS mailing list