[Zope-PAS] Re: [Zope-Coders] Unauthorized results in 401,
shouldn't it result in 403?
Zachery Bir
zbir at urbanape.com
Wed Apr 20 13:01:22 EDT 2005
On 2005-04-20 11:20:26 -0400, Chris Withers
<chris at simplistix.co.uk> said:
> Sidnei da Silva wrote:
>> | 3. How does PAS handle failover from one authentication plugin to the next?
>>
>> /me leaves slot for PAS experts to fill
Each attempt at authenticating a particular set of credentials gets a
crack, and either stands up for the creds, or returns None.
>> CookieCrumbler it's this variable is set from the cookie value) and
>> that may result in a valid user or 'Anonymous User'.
>
> Yeah, but how does CookieCrumbler stop a basic auth box being popped to
> the user when things aren't authorized?
By intercepting the RESPONSE's unauthorized() method. It's pretty
plainly there in the code. FWIW, this is how PAS insinuates itself into
the process as well, but to allow for any of the challenge plugins to
fire this way.
>> | PS: I suspect the answer to 4 varies depending on the type of auth :-(
>>
>> I don't think so.
>
> CookieCrumbler vs Everything Else: I think it does...
Well, not in PAS ;^)
Zac
More information about the Zope-PAS
mailing list