[Zope-PAS] Struggling with 'challenge' support.

Mark Hammond mhammond at skippinet.com.au
Thu Sep 23 08:26:09 EDT 2004

> Mark Hammond wrote:
> > The best I can tell, the problem is that someone has explicitly done
> > 'raise Unauthorized', rather than calling response.unauthorized().
> > When someone explicitly raises that exception,
> > response.unauthorized() is never called - which makes sense, as all
> > that method does is itself try to raise the exception.

> Ah... I tried overriding _unauthorized before, but that has other
> problems.

What problems specifically?

> In fact, I think the problem is that when you do that, and the
> challenge raises an exception, that exception is not trapped, and fails...

Exactly - which is why I said that challengers can never raise an
exception - Unauthorized or otherwise.

> Second email:

> > * Our challengers should only ever set headers in the response - they
> > never attempt to raise their own 'Unauthorized' exceptions - that
> > has already been raised, and is being handled by the time we are called.

> Nope, it's called by unauthorized as well, so that doesn't work. Most
> response scribblings you to then would just get lost at unauthorized
> later raises an exception.

I'm not sure what "it's" referring to there.  The response scribblings do
not get lost.  As I mentioned, I have NTLM authentication working with my
patch - I have IE and Zope (on windows) doing password-less authentication.

> Your patch is very much like how things were yesterday morning, before I
> realized it doesn't work. ;)

Yes, but now I understand things a little better <wink>.  A key thing was
that the final part of the challenge/response dance was not done by the
'challenge' method, but instead by the extractCredentials method.

> Nope, that doesn't work either, because response.exception will continue
> to do a lot of changes on the response. You can not change an
> Unauthorized into a Redirect, for example, and that is a basic
> requirement.

Why is that?  I see no reason why issuing a challenge should cause a
redirect.  The point is *not* to redirect - we issue a challenge, the client
responds, and either the authenticate dance begins or the response remains
at the original 404 it was.  For simple http auth, the "authenticate dance"
consists of a single header scribble - but for others, it consists of a more
complex dance involving a few 404s.

> Trapping "raise Unauthorized" and making that into a
> generic challenge behaviour will require replacing response.exception
> completely.

We aren't trapping 'raise Unauthorized' - the response 'exception()' method
is.  We are being calling as part of that exception being handled.

As far as I can tell, it is important that we neither raise nor catch
exception in the challenge implementation.

I'm afraid that with the current version, I can make the basic HTTP auth
helper work.  How should I configure my site to make it work as you see it

Did you see a specific error with my patch?



More information about the Zope-PAS mailing list