[Zope-PAS] Challengers (and Zope 3)

Mark Hammond mhammond at skippinet.com.au
Thu Sep 30 17:47:34 EDT 2004

> > My reading of the relevant RFCs implies that it should be
> possible to have
> > the actual login page as the body of the 401 message.
> >
> > It states:
> >    If the 401 response contains
> >    the same challenge as the prior response, and the user agent has
> >    already attempted authentication at least once, then the user
> >    should be presented the entity that was given in the response,
> >    since that entity may include relevant diagnostic information.
> I don't read that as support for a login page.  This is really
> just a matter of giving teh user useful information, such as
> the reason they can't be authenticated or the reason they need
> to be authenticated in the first place.  There's no way to
> provide a login page that the browser will understand.
> Of course, the user could store the information entered some other
> way to authenticate a session. Perhaps that's what you meant.

What I meant was that the RFC does not appear to limit the response body.
Thus, rather than just having a body of "<b>you are not authorized<b>", it
should be possible to have "<a href=foo>Click here to login</a>".  Taking
that further, I see no reason we could not have a complete form.

I'm not necessarily saying we *should* do that - just that I believe we

I agree though that the major issue is getting the challenge/response
protocols working together, rather than trying to work across protocols.


More information about the Zope-PAS mailing list