[Zope3-Users] Disabling authentication for resources

Shailesh Kumar shaileshk at gmail.com
Wed Jul 9 21:20:54 EDT 2008 

Hi,

I have couple of following settings in my etc\securitypolicy.zcml

  <role id="zope.Anonymous" title="Everybody"
                 description="All users have this role implicitly" />
  <!-- Replace the following directive if you don't want public access -->
  <grant permission="zope.View"
                  role="zope.Anonymous" />
  <grant permission="zope.app.dublincore.view"
                  role="zope.Anonymous" />

I didn't use zope.Public on my resource directories.

still able to acess them.

I use the older zope 3.3 zope instances.
Not sure if this helps you.
With regards,
- Shailesh


On Wed, Jul 9, 2008 at 5:44 PM, Roger Ineichen <dev at projekt01.ch> wrote:

> Hi Andrew
>
> > Betreff: Re: [Zope3-Users] Disabling authentication for resources
>
> [...]
>
> I guess bypass the authentication process is not supported for
> zope.Public protected objects.
>
> Zope does authenticate the user. And later it checks security
> for the object based on that user (authorization).
>
> zope.Public is correct for public access, but it doesn't mean
> the user get not authenticated. Remember authentication and
> authorization are two different things.
>
> I'm not really sure. But I guess without authentication,
> Zope doesn't know if even zope.Public is allowed for this
> user because you can deny permissions. But I'm also not sure
> without to introspect the code if zope.Public can set as deny.
>
> Hope that gives some hints for deep into the internals
> of IAuthentication. If you need a simpler implementation,
> take a look at z3c.authenticator.
>
>
> Regards
> Roger Ineichen
>
> >
> > On Tue, 2008-07-08 at 22:52 -0700, Shailesh Kumar wrote:
> > > Did you try the resourceDirecotry ZCML directive?
> > >
> > > <browser:resourceDirectory
> > >
> > > name="js"
> > >
> > > directory="resource/js"
> > >
> > > layer=".interfaces.IBatonSkin"
> > >
> > > />
> > > that way they don't need the authentication overhead.
> >
> > Thanks for the replies, everyone. This is what I currently
> > have as an example of a resource I'm fetching:
> >
> >   <resourceDirectory
> >       name="ajs"
> >       directory="ajs"
> >       layer="vortex.layer.IVortexBrowserLayer"
> >       permission="zope.Public"
> >       />
> >
> > But if I try to access one of these resources directly from the web,
> > e.g.:
> >
> > http://.../@@/ajs/gb_styles.css
> >
> > I still get my authentication code being called. I've tracked
> > it down this far:
> >
> > (zope.app.publication:zope.publication.py)
> >
> >     def _maybePlacefullyAuthenticate(self, request, ob):
> >         if not
> > IUnauthenticatedPrincipal.providedBy(request.principal):
> >             # We've already got an authenticated user.
> > There's nothing to do.
> >             # Note that beforeTraversal guarentees that user
> > is not None.
> >             return
> >
> >         if not ISite.providedBy(ob):
> >             # We won't find an authentication utility here,
> > so give up.
> >             return
> >
> >         sm = removeSecurityProxy(ob).getSiteManager()
> >
> >         auth = sm.queryUtility(IAuthentication)
> >         if auth is None:
> >             # No auth utility here
> >             return
> >
> >         # Try to authenticate against the auth utility
> >         principal = auth.authenticate(request)    <!----- My
> > PAU called
> > here
> >
> > Any ideas ?
> >
> > Cheers, Andrew.
> >
>
> _______________________________________________
> Zope3-users mailing list
> Zope3-users at zope.org
> http://mail.zope.org/mailman/listinfo/zope3-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope3-users/attachments/20080709/c357715c/attachment.html

More information about the Zope3-users mailing list