[Zope-PAS] Struggling with 'challenge' support.

Mark Hammond mhammond at skippinet.com.au
Thu Sep 23 21:44:35 EDT 2004


I've implemented a 'sample' challenge and response scheme.  The scheme is
based on NTLM - it must go through the exact same motions that NTLM
requires.  The tokens exchanged by the scheme however are transparent and
insecure - the point is to demonstrate the "401/retry/401/retry/200" dance
required.

http://www.innovation.ch/java/ntlm.html describes the NTLM handshake, and
therefore also describes this sample challenge implementation - however,
where the NTLM spec says "<base64-encoded type-?-message>", we use a simple,
hard-coded message.

* ChallengeExampleAuth.py should go in the 'plugins' directory.
* ChallengeExampleAdd.zpt should go in 'plugins/www'
* PAS's __init__.py will need to be tweaked to include the new plugin.

Once you have done this, you have a new scheme with interacts correctly with
HTTPBasicAuthHelper - ie, if you try and visit the site in your web browser,
you will still be correctly prompted for authorization using HTTP auth.  The
headers *will* include the new challenge scheme along with the HTTP auth
one - but the browsers correctly ignore schemes they don't understand.

Also attached is "challenge_client.py".  It is a stand-alone Python client
program that attempts to open a URL, but handles a 401 and the new
authorization scheme.  It then exchanges "credentials" with the plugin,
resulting in password-less authentication.

challenge_client.py is, as you can guess, simply the client side of the NTLM
dance which IE knows how to do.  Obviously though, as our tokens are
hard-coded, IE can not authenticate using this scheme.  As mentioned, IE
correctly backs off to simple HTTP auth (as initiated by
HTTPBasicAuthHelper).

I hope this demonstrates what I am trying to achieve, and also demonstrates
how we *do* need multiple challengers at the same time.

I'll continue to look at the cookie-redirect issues - please let me know if
I can do anything else to help.

Thanks,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: challenge_client.py
Type: application/octet-stream
Size: 3302 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-pas/attachments/20040924/04d10d32/challenge_client.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ChallengeExampleAuth.py
Type: application/octet-stream
Size: 8040 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-pas/attachments/20040924/04d10d32/ChallengeExampleAuth.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ChallengeExampleAdd.zpt
Type: application/octet-stream
Size: 1148 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-pas/attachments/20040924/04d10d32/ChallengeExampleAdd.obj


More information about the Zope-PAS mailing list