[Zope-PAS] Challengers (and Zope 3)

Mark Hammond mhammond at skippinet.com.au
Wed Sep 29 19:47:03 EDT 2004

Hi Jim,

> Let me see if I can state this correctly and clearly. For
> lack of a better term, I'll say that there can be multiple
> protocols for making challenges.  Examples of protocols include
> HTTP Authentication and Cookie-based authentication.  There
> are undoubtably other protocols, although I don't know of
> any off hand. ;)  Generally, protocols are not compatible with
> each other. (This is hard to say for sure, but for the protocols
> we have, this is the case. :).  Therefore, we don't want to issue
> challenges for multiple protocols.
> Before I go any further, does this sound right?  Is the
> statement above sensible and correct?

I believe it to be both sensible and correct :)  I think there may be scope
for us to have a 'protocol fallback' mechanism, but one step at a time!

To clarify, my NTLM challenge implementation uses the same "protocol" as
HTTP 'basic' auth.  If Kerberos ever grew a standard HTTP based auth scheme,
it would likely use the same protocol.

> Can people think of any other *real* protocols?

In my searches, the only other 'protocol' I found was one that directly
connects to an authentication server and exchanges credentials.  IIRC,
RADIUS was an example that just opened a socket - but I can't recall
exactly.  So there may be a "protocol" that directly authenticates on a
challenge, without either redirecting or exchanging HTTP headers.



More information about the Zope-PAS mailing list