acessing raw header information?
Hello, After digging some time in the zope sources i couldn't find a way to access the 'Authorization' Request-Header inside a PythonScript or PageTemplate. I need this to circumvent a javascript/Mozilla bug. Is there a way to access 'Authorization' Header or raw request headers in general? don't have to much experience with zope-mailing lists culture so hopefully this is not the wrong list... thanks, holger
Dirk Datzert wrote:
Hello Holger
holger krekel schrieb:
I need this to circumvent a javascript/Mozilla bug.
Which javscript bug can affected by Authorization ?
If you e.g. do in javascript: p = new HttpRequest(); p.open("POST", url); p.send(somestring, true); and the POST-url requires HTTP-Authentication from the Zope-side then Mozilla fails to resend a correct POST-request with authorization. In fact, mozilla doesn't send the body of the POST-request anymore. It doesn't matter if you have already been authenticated (through the browser-login-window) before or during that interaction. regards, holger
Hello Holger,
Which javscript bug can affected by Authorization ?
If you e.g. do in javascript:
p = new HttpRequest(); p.open("POST", url); p.send(somestring, true);
and the POST-url requires HTTP-Authentication from the Zope-side then Mozilla fails to resend a correct POST-request with authorization. In fact, mozilla doesn't send the body of the POST-request anymore. It doesn't matter if you have already been authenticated (through the browser-login-window) before or during that interaction.
Why you do not change the workflow ? first authentication, then show the form or javascript page, and sent HttpRequest if user is authenticated ? Or why you can't use method GET ? Regards, Dirk
Dirk Datzert wrote:
Hello Holger,
Which javscript bug can affected by Authorization ?
If you e.g. do in javascript:
p = new HttpRequest(); p.open("POST", url); p.send(somestring, true);
and the POST-url requires HTTP-Authentication from the Zope-side then Mozilla fails to resend a correct POST-request with authorization. In fact, mozilla doesn't send the body of the POST-request anymore. It doesn't matter if you have already been authenticated (through the browser-login-window) before or during that interaction.
Why you do not change the workflow ? first authentication, then show the form or javascript page, and sent HttpRequest if user is authenticated ?
It doesn't matter if you authenticated after the first POST-request or at the time when you received the html-page containing the script. See here for a more detailed description (also involving Zope): http://bugzilla.mozilla.org/show_bug.cgi?id=176051 I am convinced that this problem has nothing to do with Zope. But i need the 'Authorization' header info within the Zope-App to circumvent this bug. So my question remains: Isn't it possible to get to the raw header information of a request from a PythonScript or PageTemplate? regards, holger
On Saturday 02 November 2002 3:18 pm, holger krekel wrote:
So my question remains: Isn't it possible to get to the raw header information of a request from a PythonScript or PageTemplate?
For all headers exception Authorization, yes. Allowing access to that header would be a security problem. If this doesnt worry you, "grep -i authorization" in the ZPublisher directory to see what you need to change.
Toby Dickenson wrote:
On Saturday 02 November 2002 3:18 pm, holger krekel wrote:
So my question remains: Isn't it possible to get to the raw header information of a request from a PythonScript or PageTemplate?
For all headers exception Authorization, yes. Allowing access to that header would be a security problem.
I see.
If this doesnt worry you, "grep -i authorization" in the ZPublisher directory to see what you need to change.
Thanks for the suggestion but this is not viable at the moment. We won't change the zope installation at our customers. My next try will be to get my configuration to sent authorization headers along the first request. This sometimes happens but i have no idea what the rules are. but thanks for all the answers anyway! holger
Hi Holger, ... snip ...
My next try will be to get my configuration to sent authorization headers along the first request. This sometimes happens but i have no idea what the rules are.
but thanks for all the answers anyway!
Did you think about authorization with cookies? Perhaps cookies are send with your javascript construct? Regards Tino
holger krekel writes:
After digging some time in the zope sources i couldn't find a way to access the 'Authorization' Request-Header inside a PythonScript or PageTemplate. I need this to circumvent a javascript/Mozilla bug. There is "REQUEST._auth".
But, of course, due to the leading "_", you cannot access it in TTW code.
Is there a way to access 'Authorization' Header or raw request headers in general? Not that I know of.
don't have to much experience with zope-mailing lists culture so hopefully this is not the wrong list... "zope@zope.org" would be better. "zope-dev" is destined for development of Zope itself.
Dieter
participants (5)
-
Dieter Maurer -
Dirk Datzert -
holger krekel -
Tino Wildenhain -
Toby Dickenson