[Zope-PAS] challenge branch ready for review
Lennart Regebro
regebro at nuxeo.com
Thu Oct 14 08:38:27 EDT 2004
Mark Hammond wrote:
>>This only overrides _unauthorized(), which means that
>>_exception() will
>>then later in the chain perform a HTTP Basic auth no matter what. You
>>need to override _exception *and* _unauthorized, like is done in HEAD
>>for the moment.
>
>
> Are you sure about that? I could disable all HTTP auth with that branch.
>
> It is response._unauthorized which sets up this authentication, and that is
> exactly what we override.
response._unauthorized added one header. That's what the branch
overrides. Most of the challenge setup is done in _exception(), really.
response._unauthorized does not set the header status, exception() does,
it does not set the body, exception does, and so on.
We can prevent exception from setting the status by setting
response._locked_status = 1 in the plugins. Not exactly obvious, but it
can be documented. But we can't prevent it from setting the body.
Meaning that the only challenges possible is redirects or adding more
Authentication headers.
More information about the Zope-PAS
mailing list