[Zope-PAS] Struggling with 'challenge' support.

Mark Hammond mhammond at skippinet.com.au
Thu Sep 23 01:25:32 EDT 2004

I wrote:

> In my setup, response.unauthorized() is never called.
> response._unauthorized() is, which is why pas.challenge() was
> called in the
> previous version but not in the current one.

I think I have this sorted out :)

* As per my last message, we can not hook response.unauthorized().  Hooking
"_unauthorized()" is correct - it is called both for
'response.unauthorized()' and 'raise Unauthorized'.

* Our challengers should only ever set headers in the response - they should
never attempt to raise their own 'Unauthorized' exceptions - that exception
has already been raised, and is being handled by the time we are called.

* We should never call the original response._unauthorized() - all that does
is setup a www-authenticate challenge header.  Our challenge plugins should
be setting all required challenge headers, so the original implemenation is
not needed.

* The HTTPBasicAuthHelper function need only set a www-authenticate header.

I have attached a patch which implements the above, and seems to work fine.
My multi-step challenger also works with this code.  It does mean that to
get standard HTTP authentication, you *must* add a HTTPBasicAuthHelper and
enable 'challenge' for it.  This makes perfect sense to me though.

Please let me know what you think.


PS: If there was serious interest, I would be happy to implement a sample
"challenge/response" scheme (not a secure one - just one demonstrating the
motions).  This would necessarily also involve a Python test script to play
the side of the "client" - no web browsers would understand this sample
scheme.  It would take a bit of time to package nicely, so I would want an
indication that it would be somehow integrated (whatever that means :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: challenge.patch
Type: application/octet-stream
Size: 3021 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-pas/attachments/20040923/7e640a4e/challenge.obj

More information about the Zope-PAS mailing list