[Zope-PAS] Checked in the Challenge implementation.

Mark Hammond mhammond at skippinet.com.au
Sun Sep 26 23:33:00 EDT 2004


> > I've already tried my best to explain why it doesn't work,
> > and even provided
> > code to prove it.
>
> Since I checked in the new implementation on friday I have seen two
> mails from you, including this one. Neither of them contains any
> explanation or code.

My apologies - however, I was working against and talking about that code as
supplied by you in mail a day or 2 before you checked it in.  I attach it
here again (with a couple of small changes)

> I'm convinced it works, and will remain
> convinced it works until you make some kind of effort to tell
> me why it is not working. Have you even tried it?

I did try it - that is how I was able to tell you specifically how the
result code handling of the implementation was my primarly issue.  I was
speculating about how redirect based challengers would interact as I have no
working example, but not about 'challenge/response' based ones (as we now
have 2 - my example + HTTPAuth)

All I am trying to do is make my plugin work and interact with existing
schemes - I have no interest in creating work for works sake, or for making
PAS somehow more to my "liking". I apologize that I have been sounding
frustrated - my intention is not to antagonize, but I do feel I am having
trouble communicating my issues, even when backed up with code.  The
frustration results from my inability to express the issues better than what
I have.

The attached example does work correctly only if it explicitly sets the HTTP
status and body.  If HTTPAuth is disabled and it does not set the HTTP
status, a '204 No content' is returned.  If the body is not set, 401 with an
empty body is (which is no use for clients which do not understand the auth
scheme).  If HTTPAuth is enabled, both challengers set the response and body
(with only one winning)

As supplied, the example does redundantly set the 401 (else it does not work
when HTTPAuth is disabled), but does not set the body (to demonstrate the
empty content in that case).  You can verify this by disabling HTTP auth and
enabling the example auth, then use your browser to try and view a
restricted page.

Is it your intention for all challengers to set the 401 status and a
resulting message body?.  At the moment, we are talking about "http auth +
one other".  Obviously, the general problem is "http auth + many others" -
so I tend to believe it is not appropriate for all challengers to
redundantly set the body and status.  However, I see no way to avoid it.  If
it is your intention, should implementers clone the HTTPAuth code exactly as
specified now?

I am also confident that this scheme will not work "nicely" with redirection
based challengers - but until I actually have some redirection based code I
can test and experiment with, I can't give specific examples.  Once you
install my sample with your working CAS redirector and try and imagine a
site where they must *all* interact, you may begin to see what my concerns
are.  Alternatively, you may be able to explain why my concerns are
unfounded.  Another alternative is that PAS does not allow site admins to
mix challenge/response schemes with web based redirection ones - that would
be good to know and have documented for other people investigating
UserFolder implementations.

Attached:
challenge_example.patch: Patch to __init__.py to enable the addin.
ChallengeExampleAuth.py: Add to the 'plugins' directory.
ChallengeExampleAdd.zpt: Add to 'plugins/www'
challenge_client.py: A HTTP client which understands the challenge/response
scheme

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: challenge_example.patch
Type: application/octet-stream
Size: 1727 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-pas/attachments/20040927/f11335cc/challenge_example.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ChallengeExampleAuth.py
Type: application/octet-stream
Size: 8224 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-pas/attachments/20040927/f11335cc/ChallengeExampleAuth.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ChallengeExampleAdd.zpt
Type: application/octet-stream
Size: 1148 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-pas/attachments/20040927/f11335cc/ChallengeExampleAdd.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: challenge_client.py
Type: application/octet-stream
Size: 3302 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-pas/attachments/20040927/f11335cc/challenge_client.obj


More information about the Zope-PAS mailing list