[Zope-PAS] Re: auth fallback with cookies

Sidnei da Silva sidnei at enfoldsystems.com
Wed Aug 10 12:25:38 EDT 2005


On Wed, Aug 10, 2005 at 11:59:34AM -0400, Tres Seaver wrote:
| Sidnei da Silva wrote:
| > On Sun, Aug 07, 2005 at 03:49:36PM -0700, Kapil Thangavelu wrote:
| > | make the cookie auth plugin push form credentials into the the request 
| > | as basic auth headers ala cookie crumbler.
| > 
| > I've tried that but have not succeeded for some reason.
| > 
| > OTOH, replacing the root User Folder by a PAS equivalent (using
| > PluggableAuthService/Extensions/upgrade.py + adding cookie extraction
| > plugin) *does* do the trick.
| > 
| > Anyone can think of a good reason not to do this and try harder at the
| > cookie crumbler approach?
| 
| Nope.  If you are going to drink the PAS koolaid, you might as well go
| all the way. ;)

Yes, I'm ok with that. However I *do* think there's a problem in
there. Here's a description of the issue:

- User exists at (unknown) user folder on /
- PAS user folder at /foo
- Client visits /foo/auth_required_page
- PAS user folder challenges the client
- Client sends credentials
- PAS user folder successfully extracts credentials
- PAS user folder cannot find the user
- BaseRequest moves on to next user folder
- (unknown) user folder on / cannot extract credentials because it's
  not a PAS user folder, or because it *IS* a PAS user folder but
  doesn't have the correct extraction plugin.

So my current feeling is that PAS should have a way to pass the
extracted credentials on to the next user folder somehow. This way
seems to be using request._auth, which is what the Cookie Crumbler
does, however the patch I've submitted on a separate email is required
for this to work.

Thoughts?

-- 
Sidnei da Silva
Enfold Systems, LLC.
http://enfoldsystems.com


More information about the Zope-PAS mailing list