[Zope-PAS] Struggling with 'challenge' support.

Lennart Regebro regebro at nuxeo.com
Thu Sep 23 09:53:31 EDT 2004

Mark Hammond wrote:
>>Ah... I tried overriding _unauthorized before, but that has other
> What problems specifically?

See my later mail. Summary:
- Raising exceptions do not work when called from exception(), so that 
solution doesn't work.
- Many changes to the response gets overridden later in exception(), so 
that solution has some problems too.

>>Nope, that doesn't work either, because response.exception will continue
>>to do a lot of changes on the response. You can not change an
>>Unauthorized into a Redirect, for example, and that is a basic
> Why is that?  I see no reason why issuing a challenge should cause a
> redirect.

That is the most common use case: Redirecting to a login page. That is 
what 99% of users that require something else than a 401 response will use.

> Did you see a specific error with my patch?

Yes, the explained error above. That implementation is not sufficient. I 
need to do more testing to try some alternatives, do a whole lot more 
testing and, list up all the use cases.

Use case 1:
Standard HTTP Basic challenge. Returns 401, basically.
Wouldn't it be nice to be able to set the body? Or is that just 
completely pointless?

Use case 2:
Redirect to a login page.

Use case 3:
Return a login page without redirecting.
In worst case we could skip this use case, if it is to complicated to 

Use case 4:
What Mark is doing now. Could you explain that closer?

Hmmm.... I just realized, it might be possible to wrap exception instead 
of changing it, that woudl be neater. And then to the challenge 
*afterwards* and make the plugins write to response *last*. That could 
actaully work, if nothing else works. Hmm....

More information about the Zope-PAS mailing list