On Sat, 9 Nov 2002, Grant K Rauscher wrote:
This is how the HTTP 1/1 specification requires it to be. Your browser follows this spec.
Dieter,
I understand the HTTP spec... but ZOPE does not work that way.
I can use methods which require roles above where I logged in. The methods used for returning the roles themselves do not correlate with ZOPE's own actions. Therefore ZOPE has an internal inconsistency regarding user authentication with basic HTTP authorization.
Zope has one security policy (you are authed from the user folder you appear in on down), but basic auth has a different one that requires that the browser only *send* the auth credentials at the folder you *log in at* and down. So if you've logged in at the "below" location, and subsequently visit a location between the user folder and the log in point, the *browser* will not *send* the auth credentials, so you are anonymous. If you then auth on that new (higher) page, the browser will start sending the auth credentials. --RDM PS: it seems to me that not all browsers obey this, or perhaps some send the auth for the higher level folders if challenged and if it works don't prompt the user.