[Zope-PAS] Re: New IChallengePlugin interface
Jim Fulton
jim at zope.com
Mon Oct 4 13:30:48 EDT 2004
Zachery Bir wrote:
> On 2004-10-04 13:12:45 -0400, Jim Fulton <jim at zope.com> said:
>
>>> But if the protocol is being assigned on the individual plugin, why
>>> not leverage that and just return it or None? Why make PAS turn right
>>> around and say, "Okay, you fired. Now who are you again?"
>>
>>
>> Because there was a desire (on IRC) to make the plugin as
>> simple as possible. <shrug>
>
>
> I'll buy that :^)
>
>>> I thought we agreed that PAS would work like this (adapted from the
>>> example you gave earlier to be inline with the IRC discussion):
>>>
>>> # PAS challenge algorithm:
>>> protocol_group = None
>>> for challenger in challengers:
>>> if protocol_group and challenger.protocol != protocol_group:
>>> continue
>>> protocol_group = challenger.challenge(request, response) >
>>
>> >
>>
>>> if protocol is None:
>>> # no challengers fired
>>> ... do fallback thing
>>
>>
>> We didn't get that specific, but we decoded to take protocol out
>> of the signature, which means out of the return value as well.
>
>
> Okay, fair 'nuff. How's this:
>
> class IChallengePlugin( Interface ):
>
> """ Initiate a challenge to the user to provide credentials.
>
> Challenge plugins have an attribute 'protocol' representing
> the protocol the plugin operates under, defaulting to None.
>
> Plugins operating under the same protocol will all be given an
> attempt to fire. The first plugin of a protocol group that
> successfully fires establishes the protocol of the overall
> challenge.
> """
>
> def challenge( request, response ):
>
> """ Assert via the response that credentials will be gathered.
>
> Takes a REQUEST object and a RESPONSE object.
>
> Returns True if it fired, False otherwise.
>
> Two common ways to initiate a challenge:
>
> - Add a 'WWW-Authenticate' header to the response object.
>
> NOTE: add, since the HTTP spec specifically allows for
> more than one challenge in a given response.
>
> - Cause the response object to redirect to another URL (a
> login form page, for instance)
> """
>
> We'll need to hammer out the implementation, then, because I don't see
> how Lennart's implementation would work, even with your additions.
FWIW, later today, or tomorrow, I'll post a Zope 3 PAS implementation
that will include an implementation of this scheme.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope-PAS
mailing list