Hi, I have two (sets of) DTML-Documents: Document A has 'View' access for 'anonymous' Document B has 'View' access for 'Authenticated' Both use the same standard_html_header: --- snip --- <dtml-if "AUTHENTICATED_USER.has_role('Authenticated',this())""> You are worthy ... <dtml-else Go away! </dtml-if> Your role: <dtml-var "AUTHENTICATED_USER.getRoles()"> Your login: <dtml-var "AUTHENTICATED_USER.getUserName()"> --- /snip --- When a user views document B, he has to log in and gets the message: You are worthy ... Your role: My_Role Your login: My_Name Then he/she viewes document A: Go away! Your role: Anonymous Your login: Anonymous User When the User goes back to a B-type document he/she is authenticated again. Why doesen't Zope return the basic authentication information for the pages that can be viewed as anonymous? How do I get the "real" role? Regards Christoph PS.: FYI - Zope 2.6.2 (source with python 2.1) - OS: Linux - using Zope-webserver (for development only)
It is very likely that your browser only sends basic auth info when challenged by a 401. Use cookie auth (CookieCrumbler) to get around this. Stefan On Dienstag, Mär 9, 2004, at 17:30 Europe/Vienna, Christoph Landwehr wrote:
Why doesen't Zope return the basic authentication information for the pages that can be viewed as anonymous? How do I get the "real" role? -- The time has come to start talking about whether the emperor is as well dressed as we are supposed to think he is. /Pete McBreen/
Hi Stefan, unfortunately it is not that easy. If I log in as a "some_role" user, Zope behaves like I discribed. However when I log into the /manage screen as manager and than go back to type A document (no authentication necessary) I am still authenticated. Does that mean that for the management interface a cookie authentication is used? Just trying to understand .. Regards Christoph Stefan H. Holek wrote:
It is very likely that your browser only sends basic auth info when challenged by a 401. Use cookie auth (CookieCrumbler) to get around this.
Stefan
Christoph Landwehr wrote at 2004-3-11 12:30 +0100:
unfortunately it is not that easy. If I log in as a "some_role" user, Zope behaves like I discribed. However when I log into the /manage screen as manager and than go back to type A document (no authentication necessary) I am still authenticated.
When you want to understand how most browsers work, read the HTTP 1.1 specification. Be warned, that it is not completely trivial.
... Stefan H. Holek wrote:
It is very likely that your browser only sends basic auth info when challenged by a 401. Use cookie auth (CookieCrumbler) to get around this.
-- Dieter
Christoph Landwehr wrote:
Does that mean that for the management interface a cookie authentication is used? Just trying to understand ..
No, ZMI will always use basic authentication unless cookie crumbler is installed and successfully configured. As a good rule of thumb, if a box pops up asking you to type i na username and password, you's using basic authentication. If a login form appears within the HTML page you're viewing, then you're using cookie authentication. cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Hi,
If a login form appears within the HTML page you're viewing, then you're using cookie authentication.
Sorry, if I didn't put my question right. I did not meant to ask the difference between basic and cookie authentication. What I fond out: If I log in in the (let's say) root-folder, an the view a document below root, I am authenticated, no matter if the object needs authentication or not. I understand that the autentication is being aquired. If I log in at object B (authentication required) and than view document A (no authentication) an the same level, I am NOT authenticated (not on aquisition path). But I can view third document (authentication required) on the same level without being asked for an authentication again, although it is not in the aquisition path of the first object. That's a bit confusing (for me) Regards Christoph
Christoph Landwehr wrote:
If I log in at object B (authentication required) and than view document A (no authentication) an the same level, I am NOT authenticated (not on aquisition path). But I can view third document (authentication required) on the same level without being asked for an authentication again, although it is not in the aquisition path of the first object.
That's a bit confusing (for me)
...and you still haven't said if you're using Basic Auth or Cookie Auth. If you're using Basic Auth, then what you're seeing is a result of the fact that browsers only send cached basic authentication credentials if prompted to do so by receiving a 401 from the webserver. Zope can only send a 401 when someone views a page that requires authentication. This is to do with the stateless nature of HTTP and how Basic Authentication works. What would you like to have happen? Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Chris Withers schrieb:
...and you still haven't said if you're using Basic Auth or Cookie Auth.
Sorry. I am using Basic Auth.
If you're using Basic Auth, then what you're seeing is a result of the fact that browsers only send cached basic authentication credentials if prompted to do so by receiving a 401 from the webserver.
What would you like to have happen?
I would like that "AUTHENTICATED_USER.has_role('Authenticated',this())" is true for all pages in an folder after I have loged in at one page of the folder requiering authentication. Similar to the /manage pages: If I am authenticated for "object1/manage" I can view "object2/manage" without being promted for a password again. Regards Christoph
Christoph Landwehr wrote at 2004-3-15 20:53 +0100:
... If I log in in the (let's say) root-folder, an the view a document below root, I am authenticated, no matter if the object needs authentication or not. I understand that the autentication is being aquired.
If I log in at object B (authentication required) and than view document A (no authentication) an the same level, I am NOT authenticated (not on aquisition path). But I can view third document (authentication required) on the same level without being asked for an authentication again, although it is not in the aquisition path of the first object.
That's a bit confusing (for me)
This is what the HTTP 1.1 specification suggests to do... There is also some motivation given for these suggestions ... -- Dieter
participants (4)
-
Chris Withers -
Christoph Landwehr -
Dieter Maurer -
Stefan H. Holek