"Jay, Dylan" wrote:
One way is to not replicate the challenge-response functionatlity at all. this is the solution i have opted for. it has run now for two years :-) the problem is Zope cannot be in remote user mode and in normal mode at the same time. I think that setting up a zeo cluster (one zope instance that is served through IIS, and is used to update content, and one which has the normal behavior, and serves public content) could enable this, but I haven't tried yet.
Put Zope behind IIS in two spots. One which is protected and thus elicits a challenge/response and another that has IIS anoymous access on it. Then get the zope security machinery to alternate between the two urls depending on the security required. please elaborate: you mean that when access to http://iis.host.com/zope_anonymous.pcgi/protected_resource is forbidden, zope automatically redirect the user to http://iis.host.com/zope_protected.pcgi/protected_resource?
Then all you need is remote user mode in Zope to work by allowing any remote user secure access. Perhaps remembering new REMOTE_USER's so further roles can be associated with them. I don't understand :-(
regards, jephte.clain@univ-reunion.fr