[Zope-PAS] Struggling with 'challenge' support.
mhammond at skippinet.com.au
Thu Sep 23 08:26:09 EDT 2004
> Mark Hammond wrote:
> > The best I can tell, the problem is that someone has explicitly done
> > 'raise Unauthorized', rather than calling response.unauthorized().
> > When someone explicitly raises that exception,
> > response.unauthorized() is never called - which makes sense, as all
> > that method does is itself try to raise the exception.
> Ah... I tried overriding _unauthorized before, but that has other
What problems specifically?
> In fact, I think the problem is that when you do that, and the
> challenge raises an exception, that exception is not trapped, and fails...
Exactly - which is why I said that challengers can never raise an
exception - Unauthorized or otherwise.
> Second email:
> > * Our challengers should only ever set headers in the response - they
> > never attempt to raise their own 'Unauthorized' exceptions - that
> > has already been raised, and is being handled by the time we are called.
> Nope, it's called by unauthorized as well, so that doesn't work. Most
> response scribblings you to then would just get lost at unauthorized
> later raises an exception.
I'm not sure what "it's" referring to there. The response scribblings do
not get lost. As I mentioned, I have NTLM authentication working with my
patch - I have IE and Zope (on windows) doing password-less authentication.
> Your patch is very much like how things were yesterday morning, before I
> realized it doesn't work. ;)
Yes, but now I understand things a little better <wink>. A key thing was
that the final part of the challenge/response dance was not done by the
'challenge' method, but instead by the extractCredentials method.
> Nope, that doesn't work either, because response.exception will continue
> to do a lot of changes on the response. You can not change an
> Unauthorized into a Redirect, for example, and that is a basic
Why is that? I see no reason why issuing a challenge should cause a
redirect. The point is *not* to redirect - we issue a challenge, the client
responds, and either the authenticate dance begins or the response remains
at the original 404 it was. For simple http auth, the "authenticate dance"
consists of a single header scribble - but for others, it consists of a more
complex dance involving a few 404s.
> Trapping "raise Unauthorized" and making that into a
> generic challenge behaviour will require replacing response.exception
We aren't trapping 'raise Unauthorized' - the response 'exception()' method
is. We are being calling as part of that exception being handled.
As far as I can tell, it is important that we neither raise nor catch
exception in the challenge implementation.
I'm afraid that with the current version, I can make the basic HTTP auth
helper work. How should I configure my site to make it work as you see it
Did you see a specific error with my patch?
More information about the Zope-PAS