[Zope-PAS] Challenge implementation: Test results

Lennart Regebro regebro at nuxeo.com
Wed Sep 1 10:07:37 EDT 2004


Zachery Bir wrote:
> I don't know where the confusion is coming from that this is going to 
> force double-authentication. The only reason to do the traversal hook is 
> to capture the unauthorized and deal with it locally before handing it 
> back up to the Publisher.
> 
> Read the sources of CookieCrumbler. We're not going to force 
> double-authentication.

Ah, sorry, I mix up two different but related issues:

Issue one:
Handling unauthorized, and making it call the challenge plugins. This 
can be done in before traverse, or in validate. Doesn't matter to me. 
Validate seems less magic, I think, but that is just an opinion.

Issue two:
If you let BasicRequest.traverse handle the validation, unauthorized 
*must* raise an exception. This means that you are limited to doing the 
challenge by either raising Unauthorized, or Redirect. raisning 
unathorized will of course provoke a Basic HTTP challenge, so challenge 
plugins are really restricted to doing a redirect. You can not, for 
example, return a different page body, or anything like that. You *must* 
"raise Redirect, url". This seems a bit limited to me.

What was discussed briefly yesterday was to authenticate in 
before_traverse, and if that failed do a challenge. But that would 
result in authenticating twice, which seems less that perfect.


//Lennart


More information about the Zope-PAS mailing list