[Zope-PAS] Challenge implementation: Test results

Zachery Bir zbir at urbanape.com
Wed Sep 1 10:11:07 EDT 2004

On Sep 1, 2004, at 10:07 AM, Lennart Regebro wrote:

> Zachery Bir wrote:
>> I don't know where the confusion is coming from that this is going to 
>> force double-authentication. The only reason to do the traversal hook 
>> is to capture the unauthorized and deal with it locally before 
>> handing it back up to the Publisher.
>> Read the sources of CookieCrumbler. We're not going to force 
>> double-authentication.
> Ah, sorry, I mix up two different but related issues:
> Issue one:
> Handling unauthorized, and making it call the challenge plugins. This 
> can be done in before traverse, or in validate. Doesn't matter to me. 
> Validate seems less magic, I think, but that is just an opinion.
> Issue two:
> If you let BasicRequest.traverse handle the validation, unauthorized 
> *must* raise an exception. This means that you are limited to doing 
> the challenge by either raising Unauthorized, or Redirect. raisning 
> unathorized will of course provoke a Basic HTTP challenge, so 
> challenge plugins are really restricted to doing a redirect. You can 
> not, for example, return a different page body, or anything like that. 
> You *must* "raise Redirect, url". This seems a bit limited to me.

No, you're only limited to the challenge plugins you write. It can be a 
redirect (a la CC), it could be a digest challenge, if the user agent 
supports it, it could be a Basic HTTP challenge, or it could be an 
XML-RPC request to some other process somewhere. All that's important 
is that we get a chance to do what we need, rather than letting it go 
up to the ZPublisher.

> What was discussed briefly yesterday was to authenticate in 
> before_traverse, and if that failed do a challenge. But that would 
> result in authenticating twice, which seems less that perfect.

Yeah, that's not what we want.


More information about the Zope-PAS mailing list