[Zope-PAS] Challengers (and Zope 3)

[Mark Hammond]

> Which of these are possible to mix depends on client
> implementation. For
> example, here we notice that you can't put a redirect header and
> authenticate header in one response:
> http://www.webmasterworld.com/forum88/4907.htm
> The meta tag *might* work but that's kinda ugly.

My reading of the relevant RFCs implies that it should be possible to have
the actual login page as the body of the 401 message.

It states:
   If the 401 response contains
   the same challenge as the prior response, and the user agent has
   already attempted authentication at least once, then the user
   should be presented the entity that was given in the response,
   since that entity may include relevant diagnostic information.

Interestingly, RFC1945 also says:

   The [401] response must include a WWW-Authenticate header field

Note the use of "must".

> Having several WWW-Authenticate headers usually seem to work,
> just try putting in several WWW-Authenticate: Basic headers. Yup,
> you'll get several login dialogs. ;) But that may not be considered
> mixing protocols...

The RFC defines the behaviour, and that several WWW-Authenticate header
values is explicitly supported.  However, not all clients support the
standard to the letter.  For example - "Internet Explorer will only select
NTLM if it is the first mechanism offered; this is at odds with RFC 2616,
which states that the client must select the strongest supported
authentication scheme."[1]

> So, you might say that one might want to mix protocols. But "we"
> shouldn't do that, that is, PAS should not try to do that, it gets to
> complicated. It is instead up to each single challenge-plugin
> to decide what to do.

That may well be true for protocols other than header-based
challenge/response mechansisms - but as the standard explicitly defines c/r
behaviour, I see no reason not to support it.

Mark

[1] http://davenport.sourceforge.net/ntlm.html#ntlmHttpAuthentication