Hi all! I am working on integrating zope into the single sign-on auth. server we have. To do so, I started with the cookie_validate method in exUserFolder, modified it to suit, and placed it in my custom userFolder class. Ok, so it is working great if you to a page that requires authentication. However, I have noticed a few quiry happenings here, and maybe you guys can help me out. Sometimes, if I authenticate through the sso, and try access an object my user object doesn't have access do, I am sent a 401 Unauthorized with a Basic login window. This is not what I want! If the user is logged in, but doesn't have access, I want to return a 'no access' page, and if the user is not logged not, then I want to redirect to the sso. How can I do this? Do I need to 'hack' the HTTPResponse code (methods unauthorized, _unauthorized, and possibly exception to do this)? Any help would be greatly appreciated. Thanks! Andy
Andrew Altepeter wrote at 2003-3-4 09:05 -0600:
I am working on integrating zope into the single sign-on auth. server we have. To do so, I started with the cookie_validate method in exUserFolder, modified it to suit, and placed it in my custom userFolder class.
Ok, so it is working great if you to a page that requires authentication. However, I have noticed a few quiry happenings here, and maybe you guys can help me out.
Sometimes, if I authenticate through the sso, and try access an object my user object doesn't have access do, I am sent a 401 Unauthorized with a Basic login window. This is not what I want!
If the user is logged in, but doesn't have access, I want to return a 'no access' page, and if the user is not logged not, then I want to redirect to the sso.
UserFolder's usually ensure this by overriding the "unauthorized" method of the RESPONSE object. Have a look at CookieCrumber (as an example). Dieter
On Tue, 2003-03-04 at 13:03, Dieter Maurer wrote:
Andrew Altepeter wrote at 2003-3-4 09:05 -0600:
I am working on integrating zope into the single sign-on auth. server we have. To do so, I started with the cookie_validate method in exUserFolder, modified it to suit, and placed it in my custom userFolder class.
Ok, so it is working great if you to a page that requires authentication. However, I have noticed a few quiry happenings here, and maybe you guys can help me out.
Sometimes, if I authenticate through the sso, and try access an object my user object doesn't have access do, I am sent a 401 Unauthorized with a Basic login window. This is not what I want!
If the user is logged in, but doesn't have access, I want to return a 'no access' page, and if the user is not logged not, then I want to redirect to the sso.
UserFolder's usually ensure this by overriding the "unauthorized" method of the RESPONSE object.
Have a look at CookieCrumber (as an example).
Ok, I see. It seems that exUserFolder is an incomplete product then, since it does not override the unauthorized method. As such, it cannot prevent Basic auth's from slipping through unannounced...? __________ Looking in CookieCrumbler.py, I see that the __call__ method replaces the response.unauth methods. But when I try to do that, I get a complaint from zope: File "/usr/local/Zope/lib/python/ZPublisher/HTTPResponse.py", line 662, in exception self._unauthorized() TypeError: unbound Python method must be called with PortalUserFolder 1st argument ---------- To replace the unauth methods, I do the following: In Products/PortalUserFolder/__init__.py, I do the following: from ZPublisher.HTTPResponse import HTTPResponse from PortalUserFolder import PortalUserFolder #patch the HTTPResponse object's unauth code HTTPResponse.old__unauthorized = HTTPResponse._unauthorized HTTPResponse._unauthorized = PortalUserFolder._unauthorized HTTPResponse.old_unauthorized = HTTPResponse.unauthorized HTTPResponse.unauthorized = PortalUserFolder.unauthorized Well, this doesn't seem to work. What am I doing wrong? Thanks for all the help, Andy
Dieter
Andrew Altepeter wrote at 2003-3-4 15:57 -0600:
...
Have a look at CookieCrumber (as an example).
Ok, I see. It seems that exUserFolder is an incomplete product then, since it does not override the unauthorized method. As such, it cannot prevent Basic auth's from slipping through unannounced...? __________ Looking in CookieCrumbler.py, I see that the __call__ method replaces the response.unauth methods. But when I try to do that, I get a complaint from zope: File "/usr/local/Zope/lib/python/ZPublisher/HTTPResponse.py", line 662, in exception self._unauthorized() TypeError: unbound Python method must be called with PortalUserFolder 1st argument ---------- .... HTTPResponse.unauthorized = PortalUserFolder.unauthorized
You have set it to a class method (more precisely, an "unbound method instance"). To help prevent trivial programming errors, they check that an object of the correct type is passed in. You get the underlying function through the "im_func" pseudo attribute. Thus, you use HTTPResponse.unauthorized = PortalUserFolder.unauthorized.im_func Dieter
participants (2)
-
Andrew Altepeter -
Dieter Maurer