[Zope-dev] XMLRPC and Basic Auth problems

[Tim Hoffman]

Hi

I am working on a project that uses XWT (xwt.org) as a frontend to Zope.

XWT uses XMLRPC to communicate with a backend (in this case Zope).

XWT expects an Error 401 is authentication is required on an XMLRPC
call, so that it can negotiate the correct auth method 

The author of XWT sent the following email to me

>Tim, I've got a piece of the answer -- your server needs to return an
>HTTP 401 (Unauthorized) if no username/password is provided. This
>response includes the challenge that XWT needs in order to build an
>authentication request (realm, digest nonce challenge, etc).

However what Zope is doing is sending back a <fault> in the 
XMLRPC <methodResponse> packet. 

So it appears to me that Zope doesn't send a http response 401 for 
XMLRPC (over http), but will send a 401 back to the browser.

XMLRPC doesn't say anything about authentication, so I suppose either
method is acceptable. However because XMLRPC is implemented 
on top of http, I would have thought a http approach (ie error 401)
would be used.

It appears that this behaviour is fundamental to Zope and is not an
artifact of cookie auth in CMF etc..

Is this really correct behaviour ?

Regards

Tim Hoffman