[Zope-PAS] Struggling with 'challenge' support.

Mark Hammond mhammond at skippinet.com.au
Thu Sep 23 18:35:18 EDT 2004

> Mark Hammond wrote:
> >>Ah... I tried overriding _unauthorized before, but that has other
> >>problems.
> >
> > What problems specifically?
> See my later mail. Summary:
> - Raising exceptions do not work when called from
> exception(), so that  solution doesn't work.
> - Many changes to the response gets overridden later in
> exception(), so that solution has some problems too.

I'm afraid I still don't see any specific errors mentioned in later mails,
just references to "doesn't work" or "has problems".

> > Why is that?  I see no reason why issuing a challenge should cause a
> > redirect.
> That is the most common use case: Redirecting to a login
> page. That is
> what 99% of users that require something else than a 401
> response will use.

But that use case is already handled well by Zope itself.  Surely PAS is so
people can plug other authentication services.  I expect that when there are
a number of PAS challenge implementations in place, it will be the minority
of them that will want to redirect.

Best I can tell though, at the moment there are *no* working challenge
implementations at all - which is making this discussion very hard to have -
we have no working baseline at all.  Do you have any working challenge
implementations at all?  I'm guessing not given the major shift and changes
in implementation that are being discussed.

> > Did you see a specific error with my patch?
> Yes, the explained error above. That implementation is not
> sufficient.

I'm afraid I missed the explanation.

> Use case 1:
> Standard HTTP Basic challenge. Returns 401, basically.
> Wouldn't it be nice to be able to set the body? Or is that just
> completely pointless?

I don't think setting the body is the job of the challenge plugin - all
challenge should do is initiate the challenge.

> Use case 4:
> What Mark is doing now. Could you explain that closer?

NTLM challenge/response with Internet Explorer.
* client requests page
* server returns 401, with "www-authenticate: NTLM" set.
* client retries, passing a token in "authenticate" header
* server re-responds 401, passing its tokens back to the client.
* client retries, passing yet another token
* server says "OK".

So as far as I can tell, your only issue now is with cookie authentication?

>From your next mail:
> Note that we can't call all challengers at once, that will
> just mess up
> the headers beyond recognition, instead, a challenger returns 1 if it
> wants to do the challenge.

In the same way that browsers can implement multiple responses, it is
important we are able to issue multiple challenges.

Consider IIS with a secure page - it will issue *both* HTTP and NTLM
challenges.  If the client is IE it will silently authenticate with NTLM.
If the client is anything else, it will see the standard HTTP auth challenge
and handle that response.

Clearly that would not work if IIS had to choose between one of the
challenge methods.

I'd really like to know what the specific problems you have are.  I have
been giving the exact exceptions and errors when running your code, and
managed to make my complex NTLM challenge work with a very small change.
You appear to now be proposing a much more complicated change, but I am yet
to see any of the errors or issues you discuss, nor anything actually work!

I'll work on getting the cookie authenticator performing a redirect - as
best I can tell, that is the only outstanding problem.


More information about the Zope-PAS mailing list