[Zope-PAS] Struggling with 'challenge' support.
mhammond at skippinet.com.au
Thu Sep 23 01:25:32 EDT 2004
> In my setup, response.unauthorized() is never called.
> response._unauthorized() is, which is why pas.challenge() was
> called in the
> previous version but not in the current one.
I think I have this sorted out :)
* As per my last message, we can not hook response.unauthorized(). Hooking
"_unauthorized()" is correct - it is called both for
'response.unauthorized()' and 'raise Unauthorized'.
* Our challengers should only ever set headers in the response - they should
never attempt to raise their own 'Unauthorized' exceptions - that exception
has already been raised, and is being handled by the time we are called.
* We should never call the original response._unauthorized() - all that does
is setup a www-authenticate challenge header. Our challenge plugins should
be setting all required challenge headers, so the original implemenation is
* The HTTPBasicAuthHelper function need only set a www-authenticate header.
I have attached a patch which implements the above, and seems to work fine.
My multi-step challenger also works with this code. It does mean that to
get standard HTTP authentication, you *must* add a HTTPBasicAuthHelper and
enable 'challenge' for it. This makes perfect sense to me though.
Please let me know what you think.
PS: If there was serious interest, I would be happy to implement a sample
"challenge/response" scheme (not a secure one - just one demonstrating the
motions). This would necessarily also involve a Python test script to play
the side of the "client" - no web browsers would understand this sample
scheme. It would take a bit of time to package nicely, so I would want an
indication that it would be somehow integrated (whatever that means :)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3021 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-pas/attachments/20040923/7e640a4e/challenge.obj
More information about the Zope-PAS