[Zope-PAS] Challengers (and Zope 3)

Mark Hammond mhammond at skippinet.com.au
Thu Sep 30 18:05:07 EDT 2004

> OK, this idea seems to have some potential.  I suggest the following
> algoritm then:
>    # PAS challenge algorithm:
>    protocol = None
>    for chalenger in challengers:
>        protocol = challenger.challenge(request, response, protocol)
>    if protocol is None:
>        # no challengers fired
>        ... do fallback thing
> Challenge methods, then, should be written along the lines of:
>    def challenge(self, request, response, protocol):
>        if protocol is None:
>            ... do stuff (e.g. set response status for http)
>            return self.protocol
>        elif protocol == self.protocol
>             ... do other stuff, often a subset of stuff
>             ... done when protocol is None (e.g. for http, don't set
>             ... 401 status)
>        # we do nothing if protocol doesn't match
>        return protocol

The 'protocol is None' and 'protocol==self.protocol' cases are not clear to
me.  Can you sketch out what HTTP would specifically look like in those 2
branches?  At the moment, it need only do 2 things - set 401, and set a

Other issues that hang over from the existing implementation:

* Who sets the response body?  In CVS PAS, that is done by the HTTP
challenger.  If a site admin disables HTTP auth, then an empty body is
returned as a response.  I am guessing that is the "is None" part above?

* The current implementation still has a problem in that it neglects to
override response._unauthorized().  This method adds HTTP basic auth
headers - so even when HTTP auth is disabled, you can end up with a HTTP
challenge being issued.

* HTTPAuth must do an "addHeader" rather than "setHeader" - the headers
*must* be gathered in the same order that the challengers fired (so that the
plugin order directly affects the authenticate header order)

> I'll be a sprint next week where I think we can try this out for
> basic, digest, and cookie/redirect challengers, where basic and digest
> auth would use the http protocol.

Sounds great!  Hopefully one day my sample with a mock-up of the NTLM
protocol will come in useful.


More information about the Zope-PAS mailing list