[Zope] ZServer: Www-Authenticate header not passed

John Eikenberry jae@kavi.com
Tue, 9 Feb 1999 19:07:08 -0800 (PST)


On 10 Feb 1999, Andrew Snare wrote:

> It would appear when doing user authentication that ZServer doesn't
> include a Www-Authenticate header in the 401 response, meaning that
> (amongst other things) that __bobo_realm__ isn't passed on to the
> browser.

I bet I know what's going on here...

ZServer probably raises an Unauthorized exception and this causes it to
skip the code that puts the WWW-authenticate in the headers. I found
this after running into a similar problem with Bobo (my realm wasn't
getting set, which I needed). I was raising an Unauthorized exception in
my validation method (the method that gets called to authenticate the
users). The exception isn't caught by the code in ZPublisher.Publish (see
below) and passes right through to the response code (in
ZPublisher.Response).

If this is the problem, a temporary fix might be to wrap the call to the
validation in a try: except 'Unauthorized': ... check out lines 520-536
in ZPublisher.Publish. I would submit a patch, but I haven't had time to
see if this would break anything else.

The validate method gets called at line 520:

                else: user=v(request, auth, roles)
			   ^-the validate method 

On line 535-536 is where the method gets called (self.unauthorized())
which puts the WWW-authenticate in the header...

            if user is None and roles != UNSPECIFIED_ROLES:
                self.unauthorized(realm,debug_mode)

Hope this helps,

---

John Eikenberry
[jae@kavi.com - http://taos.kavi.com/~jae/] 
______________________________________________________________
"A society that will trade a little liberty for a little order
 will deserve neither and lose both."
                                         --B. Franklin