[Zope3-dev] Re: PAS vs pluggableauth
Lennart Regebro
regebro at nuxeo.com
Wed Sep 8 14:12:53 EDT 2004
Tres Seaver wrote:
> Making 'response.unauthorized' *not* raise would break a bunch of
> third-party code. In Zope3, the only way application code signals the
> same condition is to raise Unauthorized directly.
Well, I guess that then either needs to be changed, or probably better,
trapped somewhere higher up to initiate a challenge-response.
>> That probably means that the challenge interface for Zope2 PAS and
>> Zope3 PAS may be different.
>
> I don't think so.
Ok, good.
>> 2. We have a bit of a problem in matching the extracted credentials
>> with a particular user, becuse the extraction of credentials are done
>> by one plugin, the validation of the credentials by a second, and the
>> enumeration of users by a third.
>> As it is just right now, the validation and enumeration plugin must be
>> the same. And since the validation and extraction plugins must
>> understand each other, they must basically ALSO be the same.
>
> No, they need not. The dependency is on the contents of the credentials
> extracted. You could, for instance, use the same CookieAuth extractor
> with multiple authenticator plugins (we do this all the time).
Yes, but this is because they all happen to have the same contents of
the credentials for all authentcators. You would for example not be able
to use a CAS credential extractor with any of these authenticators. But
since PAS is designed to NOT have a specific credential layout, you can
not assume that this always is the case.
> The enumerator plugin can be separate from the authenticator
At the moment they can't.
> but must often have knowledge of the various authenticators
> (because the user ID depends on the authenticator).
I have just posted to the PAS list for a discussion on this, as I think
this is a design error.
More information about the Zope3-dev
mailing list