[Zope-PAS] challenge branch ready for review

[Mark Hammond]

> This only overrides _unauthorized(), which means that
> _exception() will
> then later in the chain perform a HTTP Basic auth no matter what. You
> need to override _exception *and* _unauthorized, like is done in HEAD
> for the moment.

Are you sure about that?  I could disable all HTTP auth with that branch.

It is response._unauthorized which sets up this authentication, and that is
exactly what we override.  I don't believe there was any reason to override
_exception/

Mark.