[Zope-PAS] Challengers (and Zope 3)

Lennart Regebro regebro at nuxeo.com
Fri Oct 1 04:23:35 EDT 2004


Mark Hammond wrote:
> """
> This scheme differs from most "normal" HTTP authentication mechanisms, in
> that subsequent requests over the authenticated connection are not
> themselves authenticated; NTLM is connection-oriented, rather than
> request-oriented. So a second request for "/index.html" would not carry any
> authentication information, and the server would request none. If the server
> detects that the connection to the client has been dropped, a request for
> "/index.html" would result in the server reinitiating the NTLM handshake.
> """

Urg...

> So somehow I need to remember the credentials on a per-connection basis.  At
> the moment, the example has localized (presumably Zope2 specific) code that
> sticks objects directly in the asynchat channel object!
> 
> If we predict that NTLM is the only auth scheme that will face that issue,
> it can obviously remain the problem of whoever is implementing NTLM.
> Otherwise, it would be wonderful for PAS to offer some assistance for
> implementors of such schemes.

One easy way would be to use the credentials to authenticate, but then 
remember who the user is with a session...



More information about the Zope-PAS mailing list