[Zope-PAS] Re: challenge branch ready for review

Zachery Bir zbir at urbanape.com
Thu Oct 14 07:14:18 EDT 2004

On 2004-10-14 06:00:09 -0400, Lennart Regebro 
<regebro at nuxeo.com> said:

> Zachery Bir wrote:
>> I've got a working implementation of PAS on 
>> pre-1_0_3-zbir-challenge-branch that exercises:
>>  - the CookieAuthHelper plugin (very rudimentary, not as smart as
>>    CookieCrumbler)
>>  - the HTTPBasicAuthHelper
>>  - the new challenge machinery discussed here that limits players in
>>    a given challenge to plugins that support the same protocol
>> We've also got tests that exercise nested PAS instances, showing that
>> PASes that can't or don't participate in a challenge will delegate it
>> up the request chain and allow other PASes (or even the ZPublisher) to
>> challenge.
>> Please take a look and let me know what you think. I'd like to merge
>> this to the head and then start on the ID mangling (coming, Jens, I
>> promise ;^)).
> This only overrides _unauthorized(), which means that _exception() will 
> then later in the chain perform a HTTP Basic auth no matter what. You 
> need to override _exception *and* _unauthorized, like is done in HEAD 
> for the moment.

No, you don't. RESPONSE.exception() calls RESPONSE._unauthorized, which 
we already trap and we do the challenge there. Go look at the code in 


More information about the Zope-PAS mailing list