[Zope-PAS] Checked in the Challenge implementation.

Lennart Regebro regebro at nuxeo.com
Fri Sep 24 13:01:05 EDT 2004

I just checked in yesterdays suggested challenge implementation.

This implementation does support scribbling on the response, as the 
initial desire was, including changing the body. So, it should be 
possible to return a in-place login form.

It also supports redirection (which can be done easily by calling 
response.redirect() (see CookieAuthHelper) as well as WWW-Authenticate 
header responses (requires some more work, se HTTPBasicAuthHelper).

Happy, happy, joy, joy.

Issue #1:
Now, when Unathorized is called, response.unauthorized is no longer 
called. As best as I can see, this has two side effects:

a. Any tracebacks will not be added.
b. The bobo-exception headers are not added.

The best suggestions on how to fix that with minimal code duplication 
effort is welcome. Fixing it is otehrwise trivial, if we just copy-paste 
the code involved, but that is not kosher. Calling response.exception() 
with just the right parameters in just the right place *may* be possible.

Issue #2:
Mark raised the issue that it might be desirable to let several 
challengers scribble on the response. Letting ALL do it has one 
drawback: Instead of the first plugin deciding the body and status, it 
is the *last* plugin that decides. That would be confusing.

The current implementation will stop iterating over the plugins if the 
plugin returned 1. This way, plugins that does not write on the body, or 
set the status, or redirects, can scribble on the headers and return 0, 
and the next plugin would get to continue.

This should make it possible for Mark to do an NTML plugin that sets a 
WWW-Authenticate: NTLM header, and then returns 0, and lets the next 
plugin do it's stuff. That next plugin could be HTTPBasicAuthHelper, for 
BasicAuth or maybe a plugin for in-place login.

Does this seem reasonable?


More information about the Zope-PAS mailing list