Grant K Rauscher writes:
This is how the HTTP 1/1 specification requires it to be. Your browser follows this spec.
Dieter,
I understand the HTTP spec... but ZOPE does not work that way.
I can use methods which require roles above where I logged in. The methods used for returning the roles themselves do not correlate with ZOPE's own actions. Therefore ZOPE has an internal inconsistency regarding user authentication with basic HTTP authorization. I do not think so.
Zope authentication works as follows: Traverse to the object indicated by the URL. Look up the chain of visited nodes whether you find a user folder that can authenticate the user sufficiently to access *this* object. If no such user folder is found, return an "Unauthorized" HTTP response. This behaviour is documented and consistent. However, when you access a weakly protected object (e.g. one viewable by "Anonymous") then there is no need for authentication information in the request. When you ask in this object, who is the user, you may get "Anonymous". The HTTP 1/1 spec says: the browser should automatically send authentication information for pages beside and below one that required authentication. Therefore, you may get a user different from "Anomynous", i.e. when you access below the object requiring authentication. When you do not like this behaviour, you must either: * protect your objects stronger * ensure a login high in the hierarchy * leave basis authentication (and use e.g. cookie authentication). Dieter