[Zope-PAS] Challengers (and Zope 3)

Mark Hammond mhammond at skippinet.com.au
Thu Sep 30 20:41:43 EDT 2004

> > Sounds great!  Hopefully one day my sample with a mock-up
> > of the NTLM protocol will come in useful.

> This will be a Zope 3 sprint BTW.

Just FYI, you may still find it useful.

It is a PAS plugin, so I am vaguely hoping that once the PAS framework is
running under Zope3, converting plugins will not be too difficult :)  The
other part of the sample is a pure-python HTTP client.

The example also demonstrates one horrible issue.  To quote that davenport
page again:

This scheme differs from most "normal" HTTP authentication mechanisms, in
that subsequent requests over the authenticated connection are not
themselves authenticated; NTLM is connection-oriented, rather than
request-oriented. So a second request for "/index.html" would not carry any
authentication information, and the server would request none. If the server
detects that the connection to the client has been dropped, a request for
"/index.html" would result in the server reinitiating the NTLM handshake.

So somehow I need to remember the credentials on a per-connection basis.  At
the moment, the example has localized (presumably Zope2 specific) code that
sticks objects directly in the asynchat channel object!

If we predict that NTLM is the only auth scheme that will face that issue,
it can obviously remain the problem of whoever is implementing NTLM.
Otherwise, it would be wonderful for PAS to offer some assistance for
implementors of such schemes.

As usual, I'm willing to contribute code once everyone agrees in general
terms (and often before <wink>)


More information about the Zope-PAS mailing list