[Zope-PAS] [RFC] PAS extractor failure behavior
Jens Vagelpohl
jens at dataflake.org
Tue Nov 23 06:07:32 EST 2004
>> My question is about the "fallback" behavior in
>> PAS._extractCredentials. If there were registered extractors but they
>> all failed to return anything (like when the CookieAuthHelper gives
>> up in the scenario above) a "emergency extractor" is used. So I get a
>> standard auth box, but only emergency users can log in. Why can't
>> this be a normal DumbHTTPExtractor that accepts any valid credentials
>> instead?
>
> This should only happen if something is incorrectly configured, and in
> that case the only one you want to login is the emergency user, so you
> can fix it. The reason is that you don't want a sudden error to break
> the sequrity requirements you have. If you for example normally do not
> allow SimpleAuth, you don't want it to suddenly become implicitly
> allowed because there is an error.
You're right, that makes a lot of sense. The specific problem here, the
failure of the CookieAuthHelper to provide the login_form to Anonymous,
is indeed a sign of misconfiguration.
jens
More information about the Zope-PAS
mailing list