[Zope-PAS] Re: challenge branch ready for review

Lennart Regebro regebro at nuxeo.com
Thu Oct 14 08:33:04 EDT 2004

Zachery Bir wrote:
> On 2004-10-14 06:00:09 -0400, Lennart Regebro <regebro at nuxeo.com> said:
>> Zachery Bir wrote:
>>> I've got a working implementation of PAS on 
>>> pre-1_0_3-zbir-challenge-branch that exercises:
>>>  - the CookieAuthHelper plugin (very rudimentary, not as smart as
>>>    CookieCrumbler)
>>>  - the HTTPBasicAuthHelper
>>>  - the new challenge machinery discussed here that limits players in
>>>    a given challenge to plugins that support the same protocol
>>> We've also got tests that exercise nested PAS instances, showing that
>>> PASes that can't or don't participate in a challenge will delegate it
>>> up the request chain and allow other PASes (or even the ZPublisher) to
>>> challenge.
>>> Please take a look and let me know what you think. I'd like to merge
>>> this to the head and then start on the ID mangling (coming, Jens, I
>>> promise ;^)).
>> This only overrides _unauthorized(), which means that _exception() 
>> will then later in the chain perform a HTTP Basic auth no matter what. 
>> You need to override _exception *and* _unauthorized, like is done in 
>> HEAD for the moment.
> No, you don't. RESPONSE.exception() calls RESPONSE._unauthorized, which 
> we already trap and we do the challenge there. Go look at the code in 
> HTTPResponse.

I know, I HAVE looked at it. Explain to me why I'm wrong instead of just 
assuming that I don't know what I'm talking about please. :-) I have 
done several different challenge implementations now, I am slowly 
getting the hang of it. :-)

OK, if the ugly "self._locked_status" hack is used, it's possible to 
prevent the status to be changed later. But the body will still be 
overriden. That means that one of the three identified types of 
challenges is not possible to implement, for no particularily good reason.

Only the http-protocol challengers and redirects will work.

The challenge is also called twice when you do a 
response.unauthorized(), which doesn't seem very useful, is a pain when 
debugging and could confuse lot's of things. That can be fixed by 
overriding RESPONSE.unauthorized() as well, so that it no longer calls 

I prefer my solution, however.

More information about the Zope-PAS mailing list