[Zope-PAS] Challengers (and Zope 3)
mhammond at skippinet.com.au
Wed Sep 29 19:47:03 EDT 2004
> Let me see if I can state this correctly and clearly. For
> lack of a better term, I'll say that there can be multiple
> protocols for making challenges. Examples of protocols include
> HTTP Authentication and Cookie-based authentication. There
> are undoubtably other protocols, although I don't know of
> any off hand. ;) Generally, protocols are not compatible with
> each other. (This is hard to say for sure, but for the protocols
> we have, this is the case. :). Therefore, we don't want to issue
> challenges for multiple protocols.
> Before I go any further, does this sound right? Is the
> statement above sensible and correct?
I believe it to be both sensible and correct :) I think there may be scope
for us to have a 'protocol fallback' mechanism, but one step at a time!
To clarify, my NTLM challenge implementation uses the same "protocol" as
HTTP 'basic' auth. If Kerberos ever grew a standard HTTP based auth scheme,
it would likely use the same protocol.
> Can people think of any other *real* protocols?
In my searches, the only other 'protocol' I found was one that directly
connects to an authentication server and exchanges credentials. IIRC,
RADIUS was an example that just opened a socket - but I can't recall
exactly. So there may be a "protocol" that directly authenticates on a
challenge, without either redirecting or exchanging HTTP headers.
More information about the Zope-PAS