[Zope-PAS] Unauthorized results in 401, shouldn't it result in 403?

[Chris Withers]

Hi there,

In Zope auth we have this cool (and I'm being serious here!) idea that 
authentication and authorisation are seperate things. So I'm confused as 
to why an authorization failure returns a 401 and not a 403.

My understanding is as follows:

1. anonymous request comes in for url that is not anonymously viewable
2. zope replies with a 401 requesting authentication information
3. browser supplies previous request but with auth headers
4. zope authenticates user (see Sidnei's mail about this part)
5. zope authroizes user
5.1. auth succeeds, zope publishes object
5.2. auth fails, zope returns a 401

Now, 5.2 is where I have the problem, since raising unauthorized 
anywhere in Zope traditionally pops up a basic auth box rather than 
returning standard_error_message with a 403 response which, as time goes 
by, I'm starting to think is what should really happen.

The only reason I can think for the current behaviour is that it allows 
you to try another username/password if the current one doesn't have the 
correct level of authorization. Nowadays, most browsers allow you to 
drop basic auth headers, and for IE users, they can just fire up a new 
browser instance.

Out of interest, CookieCrumbler changes this behaviour by patching 
things, this is how Plone ends up behaving as I suggest above (although 
probably not returning a 403 as it should!)

This all leaves me with a few questions:

1. Should things change to work as I describe?

2. Is the above behaviour pluggable at all?

3. How does PAS handle failover from one authentication plugin to the next?

4. What kicks off the authentication process in Zope? Something being 
anonymously viewable or credentials being found in the request?

cheers,

Chris

PS: I suspect the answer to 4 varies depending on the type of auth :-(

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk