[Zope-PAS] Re: New IChallengePlugin interface

Jim Fulton jim at zope.com
Mon Oct 4 13:12:45 EDT 2004 

Zachery Bir wrote:
> On 2004-10-04 12:06:14 -0400, Jim Fulton <jim at zope.com> said:
> 
>> Zachery Bir wrote:
>>
>>> Since we don't specify attribute interfaces in Zope 2, I've left it 
>>> in the docs of IChallengePlugin.
>>>
>>> class IChallengePlugin( Interface ):
>>>
>>>    """ Initiate a challenge to the user to provide credentials.
>>>
>>>        Challenge plugins have an attribute 'protocol' representing
>>>        the protocol the plugin operates under. Plugins operating
>>>        under the same protocol will all be given an attempt to
>>>        fire. The first plugin of a protocol group that successfully
>>>        fires establishes the protocol of the overall challenge. By
>>>        default, the protocol should be the id of the plugin, which
>>>        means if it fires, it fires alone.
>>>    """
>>>
>>>    def challenge( request, response ):
>>>
>>>        """ Assert via the response that credentials will be gathered.
>>>
>>>        Takes a REQUEST object and a RESPONSE object, and returns
>>>        either self.protocol if it fires, or None.
>>>
>>>        Two common ways to initiate a challenge:
>>>
>>>          - Add a 'WWW-Authenticate' header to the response object.
>>>
>>>            NOTE: add, since the HTTP spec specifically allows for
>>>            more than one challenge in a given response.
>>>
>>>          - Cause the response object to redirect to another URL (a
>>>            login form page, for instance)
>>>        """
>>
>>
>> I think this is still not right.
>>
>> The plugin retuns a boolean.  It's the PAS's job to figure out
>> the protocol, based on the protocol of the first plugin to fire.
> 
> 
> But if the protocol is being assigned on the individual plugin, why not 
> leverage that and just return it or None? Why make PAS turn right around 
> and say, "Okay, you fired. Now who are you again?"

Because there was a desire (on IRC) to make the plugin as
simple as possible. <shrug>

> I thought we agreed that PAS would work like this (adapted from the 
> example you gave earlier to be inline with the IRC discussion):
> 
>    # PAS challenge algorithm:
>    protocol_group = None
>    for challenger in challengers:
>        if protocol_group and challenger.protocol != protocol_group:
>            continue
>        protocol_group = challenger.challenge(request, response) >
 >
>    if protocol is None:
>        # no challengers fired
>        ... do fallback thing

We didn't get that specific, but we decoded to take protocol out
of the signature, which means out of the return value as well.

> Which suggests to me that PAS doens't need to keep additional track of 
> stuff. It looks like you're suggesting something like this:

I'm suggesting something along the lines of what Lennart posted.

Note that with that, the plugins don't really need to be aware of
protocols unless they happen to play with one.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope-PAS mailing list