[Zope-CMF] Auth problem, CMF, XML-RPC, ZCLASS
Brad Clements
bkc@murkworks.com
Tue, 5 Mar 2002 16:38:24 -0500
I'm looking for any suggestions how to solve this problem. It's somewhat complicated.
I'll try to be clear in explanation.
Sorry for the double post, I'm not sure if this is a CMF/cookie crumbler issue, or a Zope
issue.
Zope 2.5.0 binary on RH Linux 7.1 with CMF beta 1.1 (will upgrade shortly, but I don't
that's the issue).
Layout of items is like this:
/ (zope root)
/AdkWood (folder)
/CMF (CMF Site)
/Manage (has javascript source and index_html for one-page web app)
/Members (folder)
/bkc (folder)
/mycompany (ZClass instance of SearchableCompany)
/acl_users (for CMF)
/acl_users (top level)
In Products/SearchableCompanyProduct/SearchableCompany/methods
CompanyRequest_py (python Script)
Program Description:
User navigates to /AdkWood/CMF/Manage This is a protected folder so they must be
an Owner or Manager.. Get the login form screen and can authenticate with either
CMF/acl_users username or root /acl_users username. The problem occurs either
way.
The Manage/index_html page template loads up lots of Javascript. It fills a select box
with a list of URL paths to SearchableCompany Zclass instances that the user has the
owner role on.
On the client, when the user selects one of these items, the client javascript builds an
XML-RPC request by taking the URL path of the SearchableCompany and calling the
CompanyRequest_py method on it via XML-RPC.
In Zope, after xmlrpc.py decodes the request, we get a path like:
/AdkWood/CMF/Members/bkc/mycompany/CompanyRequest_py
I can load the above URL in the same browser instance that had previously
authenticated to Zope to get the /Manage/index_html page (cached cookie) and the
request is processed correctly.
However when I use xml-rpc to call the method, I get an "Unauthorized, no
authentication header found" error.
(about line 405 in BaseRequest.py)
if user is None and roles != UNSPECIFIED_ROLES:
response.unauthorized()
Lots of print statements later, I find that user is None, and roles = ['Owner','Manager']
Using tcpwatch.py, I see that the xml-rpc request DOES include the authentication
cookie previously received through the login process. It just doesn't seem to be
honored by the higher level old_validation() methods.
This is strange because the same browser instance, using the same cookie, can
directly navigate to the same URL that the xml-rpc request is sending.
As a quick hack, I changed vxXMLRPC (the xml-rpc javascript client) to send Basic
authentication information in every request. When I do this, the xml-rpc method does
work. However I'd rather not use it this way.
So my question is.. Is it possible this is a cookie-crumbler issue because my Zclass
instances are "inside" CMF, or is this somehow dependent on xml-rpc processing not
working quite right on the server? Or, maybe this is related to authenticating first to
/CMF/Manager folder, but then using the same auth cookie through
/CMF/Members/...
However I think this wouldn't be an issue..
Brad Clements, bkc@murkworks.com (315)268-1000
http://www.murkworks.com (315)268-9812 Fax
AOL-IM: BKClements