[Zope-dev] Questions and suggestions for PAS and BasicRequest.

[Lennart Regebro]

Background for zope-dev:

Me, Tino and Zach has been discussing and working a bit on PAS, to fix 
the problems I had last week. Most have now been fixed. Some new ones 
arrived instead. :)


The two first have to do with both Zope and PAS:

1. The challenge() currently requires you to either raise a Redirect or
and Authenticated exception, to go to a login-page or get a login-box. 
This is because if you just return from challenge without any exception 
BasicRequest will later raise unauthorized. This means you can not do 
response.setBody() or even response.redirect().

One possible solution for this is to NOT provoce the challenge from the 
user folders verify() method, but challenge from Response.unauthorized().

2. I would assume that a redirecting challenge will redirect a webdav
client too. That is a bad idea, and needs to be taken care of (by PAS I 
assume, but not 100% sure how).


These further two are more PAS specific:

3. If you have a PAS in the Zope root, and you have a broken challenge 
plugin, you may not be able to log in at all. This also needs to be 
taken care of in one way or another. One way could be to always allow 
username:password at url authentication for emergency user. Other ideas 
could be to have some setting to disable challenges and restart the 
server, or something like that.

4. The only plugin to actually do any proper challenges as of today, is 
my newly created CAS-plugin. Question: Do you want that as a part of 
PAS? I can simply check it in there. Otherwise it will become a separate 
product.

//Lennart