[Zope-PAS] Challenge implementation: Test results
regebro at nuxeo.com
Wed Sep 1 10:07:37 EDT 2004
Zachery Bir wrote:
> I don't know where the confusion is coming from that this is going to
> force double-authentication. The only reason to do the traversal hook is
> to capture the unauthorized and deal with it locally before handing it
> back up to the Publisher.
> Read the sources of CookieCrumbler. We're not going to force
Ah, sorry, I mix up two different but related issues:
Handling unauthorized, and making it call the challenge plugins. This
can be done in before traverse, or in validate. Doesn't matter to me.
Validate seems less magic, I think, but that is just an opinion.
If you let BasicRequest.traverse handle the validation, unauthorized
*must* raise an exception. This means that you are limited to doing the
challenge by either raising Unauthorized, or Redirect. raisning
unathorized will of course provoke a Basic HTTP challenge, so challenge
plugins are really restricted to doing a redirect. You can not, for
example, return a different page body, or anything like that. You *must*
"raise Redirect, url". This seems a bit limited to me.
What was discussed briefly yesterday was to authenticate in
before_traverse, and if that failed do a challenge. But that would
result in authenticating twice, which seems less that perfect.
More information about the Zope-PAS