[Zope-PAS] Challengers (and Zope 3)

Lennart Regebro regebro at nuxeo.com
Thu Sep 30 05:45:44 EDT 2004

Jim Fulton wrote:
> Let me see if I can state this correctly and clearly. For
> lack of a better term, I'll say that there can be multiple
> protocols for making challenges.  Examples of protocols include
> HTTP Authentication and Cookie-based authentication.  There
> are undoubtably other protocols, although I don't know of
> any off hand. ;)  Generally, protocols are not compatible with
> each other. (This is hard to say for sure, but for the protocols
> we have, this is the case. :).  Therefore, we don't want to issue
> challenges for multiple protocols.
> Before I go any further, does this sound right?  Is the statement above
> sensible and correct?
> Can people think of any other *real* protocols?

The protocols I know of would be:

- Returning a login-page
- Redirecting to a login-page
- WWW-Authenticate

Which of these are possible to mix depends on client implementation. For 
example, here we notice that you can't put a redirect header and 
authenticate header in one response: 
The meta tag *might* work but that's kinda ugly.

However, having a WWW-Authenticate: NTLM and a in-place login page would 
probably work, and might be desired so not to have to fall back to the 
unsecure Basic Auth.

Having several WWW-Authenticate headers usually seem to work, just try 
putting in several WWW-Authenticate: Basic headers. Yup, you'll get 
several login dialogs. ;) But that may not be considered mixing protocols...

So, you might say that one might want to mix protocols. But "we" 
shouldn't do that, that is, PAS should not try to do that, it gets to 
complicated. It is instead up to each single challenge-plugin to decide 
what to do.

More information about the Zope-PAS mailing list