[Zope-PAS] Re: challenge branch ready for review
Zachery Bir
zbir at urbanape.com
Thu Oct 14 07:14:18 EDT 2004
On 2004-10-14 06:00:09 -0400, Lennart Regebro
<regebro at nuxeo.com> said:
> Zachery Bir wrote:
>> I've got a working implementation of PAS on
>> pre-1_0_3-zbir-challenge-branch that exercises:
>>
>> - the CookieAuthHelper plugin (very rudimentary, not as smart as
>> CookieCrumbler)
>>
>> - the HTTPBasicAuthHelper
>>
>> - the new challenge machinery discussed here that limits players in
>> a given challenge to plugins that support the same protocol
>>
>> We've also got tests that exercise nested PAS instances, showing that
>> PASes that can't or don't participate in a challenge will delegate it
>> up the request chain and allow other PASes (or even the ZPublisher) to
>> challenge.
>>
>> Please take a look and let me know what you think. I'd like to merge
>> this to the head and then start on the ID mangling (coming, Jens, I
>> promise ;^)).
>
> This only overrides _unauthorized(), which means that _exception() will
> then later in the chain perform a HTTP Basic auth no matter what. You
> need to override _exception *and* _unauthorized, like is done in HEAD
> for the moment.
No, you don't. RESPONSE.exception() calls RESPONSE._unauthorized, which
we already trap and we do the challenge there. Go look at the code in
HTTPResponse.
Zac
More information about the Zope-PAS
mailing list