NotFound (404) and Unauthorized (401) error page redirects
I need some advice on how to create an Unauthorized (401) error page redirect. I've discovered how to create a NotFound (404) error page redirect by adding the following code to the top of the "standard_error_message" DTML method, which is located in the root folder... <dtml-if "error_type=='NotFound'"> <dtml-call expr="RESPONSE.redirect('/notfound.html', lock=1)"> </dtml-if> However, when I replace 'NotFound' with 'Unauthorized' (--please DO NOT try this on your production Zope server--), anyone who tries to log into the Zope management interface (ZopeServer/manage) is redirected to the unauthorized page. Basically, I need to know the Zope analog of Apache's "ErrorDocument 401 /unauthorized.html" directive. Many thanks. - Kamal
I need some advice on how to create an Unauthorized (401) error page redirect.
My advice is, don't. Raising a 3xx in the handler for a 401 is misleading, and as you found out, doesn't result in the behavior you might expect.
I've discovered how to create a NotFound (404) error page redirect by adding the following code to the top of the "standard_error_message" DTML method, which is located in the root folder...
<dtml-if "error_type=='NotFound'"> <dtml-call expr="RESPONSE.redirect('/notfound.html', lock=1)"> </dtml-if>
Don't do this either.
However, when I replace 'NotFound' with 'Unauthorized' (--please DO NOT try this on your production Zope server--), anyone who tries to log into the Zope management interface (ZopeServer/manage) is redirected to the unauthorized page.
Yep, thats how its supposed to work. When you require authentication to access a URI your web server will respond to requests for that resource with a 401 Authorization Required response. That response is allowed to have a content body, and when you use Apache's ErrorDocument directive you are defining what you want that content to be. Same thing applies for Zope, whatever you want the content of a 401 to be, you must respond with. <dtml-if expr="error_type == 'Unauthorized'"> <html><head><title>401 Authorization Required</title></head><body>blah blah </body></html> </dtml-if> (obviously you can use DTML or TAL to reply with something more complicated than static content) Many browsers choose to capture the 401 response and delay showing it, instead prompting for authentication and only finally showing the actualy content of the 401 once the user has decided to cancel the authentication dialog. By masking 4xx errors with 3xx redirects in your error handler you're really creating more problems than you solve. Use the error handler to dole out the content to the client directly, don't try to send the client elsewhere to go get it. -- Jamie Heilman http://audible.transient.net/~jamie/ "Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution." -Sathington Willoughby
participants (2)
-
Jamie Heilman -
Kamal Gill