[Zope-PAS] Re: New IChallengePlugin interface

Jim Fulton jim at zope.com
Mon Oct 4 13:30:48 EDT 2004 

Zachery Bir wrote:
> On 2004-10-04 13:12:45 -0400, Jim Fulton <jim at zope.com> said:
> 
>>> But if the protocol is being assigned on the individual plugin, why 
>>> not leverage that and just return it or None? Why make PAS turn right 
>>> around and say, "Okay, you fired. Now who are you again?"
>>
>>
>> Because there was a desire (on IRC) to make the plugin as
>> simple as possible. <shrug>
> 
> 
> I'll buy that :^)
> 
>>> I thought we agreed that PAS would work like this (adapted from the 
>>> example you gave earlier to be inline with the IRC discussion):
>>>
>>>    # PAS challenge algorithm:
>>>    protocol_group = None
>>>    for challenger in challengers:
>>>        if protocol_group and challenger.protocol != protocol_group:
>>>            continue
>>>        protocol_group = challenger.challenge(request, response) >
>>
>>  >
>>
>>>    if protocol is None:
>>>        # no challengers fired
>>>        ... do fallback thing
>>
>>
>> We didn't get that specific, but we decoded to take protocol out
>> of the signature, which means out of the return value as well.
> 
> 
> Okay, fair 'nuff. How's this:
> 
> class IChallengePlugin( Interface ):
> 
>    """ Initiate a challenge to the user to provide credentials.
> 
>        Challenge plugins have an attribute 'protocol' representing
>        the protocol the plugin operates under, defaulting to None.
> 
>        Plugins operating under the same protocol will all be given an
>        attempt to fire. The first plugin of a protocol group that
>        successfully fires establishes the protocol of the overall
>        challenge.
>    """
> 
>    def challenge( request, response ):
> 
>        """ Assert via the response that credentials will be gathered.
> 
>        Takes a REQUEST object and a RESPONSE object.
> 
>        Returns True if it fired, False otherwise.
> 
>        Two common ways to initiate a challenge:
> 
>          - Add a 'WWW-Authenticate' header to the response object.
> 
>            NOTE: add, since the HTTP spec specifically allows for
>            more than one challenge in a given response.
> 
>          - Cause the response object to redirect to another URL (a
>            login form page, for instance)
>        """
> 
> We'll need to hammer out the implementation, then, because I don't see 
> how Lennart's implementation would work, even with your additions.

FWIW, later today, or tomorrow, I'll post a Zope 3 PAS implementation
that will include an implementation of this scheme.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope-PAS mailing list