[Zope-PAS] Re: challenge branch ready for review

Zachery Bir zbir at urbanape.com
Thu Oct 14 09:29:27 EDT 2004

On 2004-10-14 08:33:04 -0400, Lennart Regebro 
<regebro at nuxeo.com> said:

> Zachery Bir wrote:
>> On 2004-10-14 06:00:09 -0400, Lennart Regebro 
>> <regebro at nuxeo.com> said:
>>> This only overrides _unauthorized(), which means that _exception() will 
>>> then later in the chain perform a HTTP Basic auth no matter what. You 
>>> need to override _exception *and* _unauthorized, like is done in HEAD 
>>> for the moment.
>> No, you don't. RESPONSE.exception() calls RESPONSE._unauthorized, which 
>> we already trap and we do the challenge there. Go look at the code in 
>> HTTPResponse.
> I know, I HAVE looked at it. Explain to me why I'm wrong instead of 
> just assuming that I don't know what I'm talking about please. :-) I 
> have done several different challenge implementations now, I am slowly 
> getting the hang of it. :-)

You said, "which means that _exception()[sic] will then later in the 
chain perform a HTTP Basic auth no matter what". This is false. I've 
got a PAS instance with a single CookieAuthHelper enabled to do all 
challenges. I've got an external method that only raises Unauthorized. 
The only challenge to happen is the cookie auth login form. All without 
having to override the response's exception() method.

> OK, if the ugly "self._locked_status" hack is used, it's possible to 
> prevent the status to be changed later. But the body will still be 
> overriden. That means that one of the three identified types of 
> challenges is not possible to implement, for no particularily good 
> reason.

Refresh my memory. Which of the three identified can't be implemented?


More information about the Zope-PAS mailing list