[Zope-PAS] Re: New IChallengePlugin interface

Zachery Bir zbir at urbanape.com
Mon Oct 4 13:27:38 EDT 2004

On 2004-10-04 13:12:45 -0400, Jim Fulton 
<jim at zope.com> said:

>> But if the protocol is being assigned on the individual plugin, why not 
>> leverage that and just return it or None? Why make PAS turn right 
>> around and say, "Okay, you fired. Now who are you again?"
> Because there was a desire (on IRC) to make the plugin as
> simple as possible. <shrug>

I'll buy that :^)

>> I thought we agreed that PAS would work like this (adapted from the 
>> example you gave earlier to be inline with the IRC discussion):
>>    # PAS challenge algorithm:
>>    protocol_group = None
>>    for challenger in challengers:
>>        if protocol_group and challenger.protocol != protocol_group:
>>            continue
>>        protocol_group = challenger.challenge(request, response) >
>  >
>>    if protocol is None:
>>        # no challengers fired
>>        ... do fallback thing
> We didn't get that specific, but we decoded to take protocol out
> of the signature, which means out of the return value as well.

Okay, fair 'nuff. How's this:

class IChallengePlugin( Interface ):

    """ Initiate a challenge to the user to provide credentials.

        Challenge plugins have an attribute 'protocol' representing
        the protocol the plugin operates under, defaulting to None.

        Plugins operating under the same protocol will all be given an
        attempt to fire. The first plugin of a protocol group that
        successfully fires establishes the protocol of the overall

    def challenge( request, response ):

        """ Assert via the response that credentials will be gathered.

        Takes a REQUEST object and a RESPONSE object.

        Returns True if it fired, False otherwise.

        Two common ways to initiate a challenge:

          - Add a 'WWW-Authenticate' header to the response object.

            NOTE: add, since the HTTP spec specifically allows for
            more than one challenge in a given response.

          - Cause the response object to redirect to another URL (a
            login form page, for instance)

We'll need to hammer out the implementation, then, because I don't see 
how Lennart's implementation would work, even with your additions.


More information about the Zope-PAS mailing list