[Zope-PAS] challenge branch ready for review

Lennart Regebro regebro at nuxeo.com
Thu Oct 14 08:38:27 EDT 2004

Mark Hammond wrote:
>>This only overrides _unauthorized(), which means that
>>_exception() will
>>then later in the chain perform a HTTP Basic auth no matter what. You
>>need to override _exception *and* _unauthorized, like is done in HEAD
>>for the moment.
> Are you sure about that?  I could disable all HTTP auth with that branch.
> It is response._unauthorized which sets up this authentication, and that is
> exactly what we override.

response._unauthorized added one header. That's what the branch 
overrides. Most of the challenge setup is done in _exception(), really.

response._unauthorized does not set the header status, exception() does, 
it does not set the body, exception does, and so on.

We can prevent exception from setting the status by setting 
response._locked_status = 1 in the plugins. Not exactly obvious, but it 
can be documented. But we can't prevent it from setting the body. 
Meaning that the only challenges possible is redirects or adding more 
Authentication headers.

More information about the Zope-PAS mailing list