[Zope-PAS] Re: New IChallengePlugin interface

Zachery Bir zbir at urbanape.com
Mon Oct 4 12:52:34 EDT 2004 

On 2004-10-04 12:06:14 -0400, Jim Fulton 
<jim at zope.com> said:

> Zachery Bir wrote:
>> Since we don't specify attribute interfaces in Zope 2, I've left it in 
>> the docs of IChallengePlugin.
>> 
>> class IChallengePlugin( Interface ):
>> 
>>    """ Initiate a challenge to the user to provide credentials.
>> 
>>        Challenge plugins have an attribute 'protocol' representing
>>        the protocol the plugin operates under. Plugins operating
>>        under the same protocol will all be given an attempt to
>>        fire. The first plugin of a protocol group that successfully
>>        fires establishes the protocol of the overall challenge. By
>>        default, the protocol should be the id of the plugin, which
>>        means if it fires, it fires alone.
>>    """
>> 
>>    def challenge( request, response ):
>> 
>>        """ Assert via the response that credentials will be gathered.
>> 
>>        Takes a REQUEST object and a RESPONSE object, and returns
>>        either self.protocol if it fires, or None.
>> 
>>        Two common ways to initiate a challenge:
>> 
>>          - Add a 'WWW-Authenticate' header to the response object.
>> 
>>            NOTE: add, since the HTTP spec specifically allows for
>>            more than one challenge in a given response.
>> 
>>          - Cause the response object to redirect to another URL (a
>>            login form page, for instance)
>>        """
> 
> I think this is still not right.
> 
> The plugin retuns a boolean.  It's the PAS's job to figure out
> the protocol, based on the protocol of the first plugin to fire.

But if the protocol is being assigned on the individual plugin, why not 
leverage that and just return it or None? Why make PAS turn right 
around and say, "Okay, you fired. Now who are you again?"

I thought we agreed that PAS would work like this (adapted from the 
example you gave earlier to be inline with the IRC discussion):

    # PAS challenge algorithm:
    protocol_group = None
    for challenger in challengers:
        if protocol_group and challenger.protocol != protocol_group:
            continue
        protocol_group = challenger.challenge(request, response)

    if protocol is None:
        # no challengers fired
        ... do fallback thing

Which suggests to me that PAS doens't need to keep additional track of 
stuff. It looks like you're suggesting something like this:

    # PAS challenge algorithm:
    fired = False
    protocol_group = None
    for challenger in challengers:
        if fired and challenger.protocol != protocol_group:
            continue
        fired = challenger.challenge(request, response)
        if fired:
            protocol_group = challenger.protocol

    if protocol is None:
        # no challengers fired
        ... do fallback thing

Which is just a lot of other code to do the same thing, no?

Zac

More information about the Zope-PAS mailing list