[Zope] authentication problem

Jens Vagelpohl jens@zope.com
Mon, 3 Sep 2001 21:12:56 -0400


this is a "known problem" with OmniWeb (and a few other browsers.

OmniWeb will only send basic auth information when explicityly prompted. 
unfortunately, the page on the right-hand side of the ZMI 
(manage_workspace) does *not* prompt for authentication, it simply looks 
for the headers and if it cannot read them you get redirected to a 
"harmless" view, like index_html for the respective folder. most other 
browsers, once they have a username and password, automatically send that 
along for all other pages from the same webserver.

i have sent feedback to the guys at OmniWeb twice so far, if you could add 
your voice to it that might help get it into production quicker.

jens




On Saturday, September 1, 2001, at 09:54 , Mitchell L Model wrote:

> I would greatly appreciate it if people knowledgeable about the Zope user 
> authentication process would consider helping me with a problem even 
> though the context for the problem is extremely limited (Omniweb 10.0.5 
> on Mac OS X 10.0.4), because the answer will help me understand an 
> important part of Zope in addition to helping me get past my problem and 
> in fact, I think the answer probably has to do with the mechanism by 
> which web browsers communicate user authorization to server-side programs 
> generally, independent of Omniweb or Zope, so many people might find this 
> answer interesting.
>
> I couldn't use Zope at all on Omniweb before the just released version 10.
> 0.5, because although I could successfully connect to a specific port 
> included in the URL, Omniweb was not using that port for the frames 
> within the page.  That seems to have been fixed with the newest version, 
> but I still have a problem: I can successfully log in to Zope, but all 
> attempts to use ZMI get redirected to View pages instead.  I have traced 
> through the code in ZPublisher/BaseRequest.py and 
> ZServer/PubCore/ZServerPublisher.py to determine that the request's _auth 
> is coming in as None in Omniweb, but a more meaningful value in other 
> browsers.  However, I'm having trouble finding where that information is 
> coming from (the indirections in the Python code make it tricky to catch 
> everything stepping through the code in pdb), and I've run out of time.
>
> I would GREATLY appreciate an explanation of where the authorization 
> information is coming from.  I don't see the currently logged in user in 
> my CGI environment, including cookies.  How does any server-side program 
> get the user authorization information from the browser after the user 
> has logged in and gone to a different frame or window?
> --
>     --- Mitchell
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )