[Zope-PAS] Challengers (and Zope 3)
mhammond at skippinet.com.au
Thu Sep 30 17:47:34 EDT 2004
> > My reading of the relevant RFCs implies that it should be
> possible to have
> > the actual login page as the body of the 401 message.
> > It states:
> > If the 401 response contains
> > the same challenge as the prior response, and the user agent has
> > already attempted authentication at least once, then the user
> > should be presented the entity that was given in the response,
> > since that entity may include relevant diagnostic information.
> I don't read that as support for a login page. This is really
> just a matter of giving teh user useful information, such as
> the reason they can't be authenticated or the reason they need
> to be authenticated in the first place. There's no way to
> provide a login page that the browser will understand.
> Of course, the user could store the information entered some other
> way to authenticate a session. Perhaps that's what you meant.
What I meant was that the RFC does not appear to limit the response body.
Thus, rather than just having a body of "<b>you are not authorized<b>", it
should be possible to have "<a href=foo>Click here to login</a>". Taking
that further, I see no reason we could not have a complete form.
I'm not necessarily saying we *should* do that - just that I believe we
I agree though that the major issue is getting the challenge/response
protocols working together, rather than trying to work across protocols.
More information about the Zope-PAS