<div>Hi, </div>
<div> </div>
<div>I have couple of following settings in my etc\securitypolicy.zcml</div>
<div> </div>
<div> <role id="zope.Anonymous" title="Everybody"<br> description="All users have this role implicitly" /><br> <!-- Replace the following directive if you don't want public access --><br>
<grant permission="zope.View"<br> role="zope.Anonymous" /><br> <grant permission="zope.app.dublincore.view"<br> role="zope.Anonymous" /><br>
</div>
<div> </div>
<div>I didn't use zope.Public on my resource directories.</div>
<div> </div>
<div>still able to acess them.</div>
<div> </div>
<div>I use the older zope 3.3 zope instances.</div>
<div>Not sure if this helps you.<br></div>
<div>With regards,</div>
<div>- Shailesh</div>
<div><br> </div>
<div class="gmail_quote">On Wed, Jul 9, 2008 at 5:44 PM, Roger Ineichen <dev@projekt01.ch> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hi Andrew<br><br>> Betreff: Re: [Zope3-Users] Disabling authentication for resources<br><br>[...]<br><br>
I guess bypass the authentication process is not supported for<br>zope.Public protected objects.<br><br>Zope does authenticate the user. And later it checks security<br>for the object based on that user (authorization).<br>
<br>zope.Public is correct for public access, but it doesn't mean<br>the user get not authenticated. Remember authentication and<br>authorization are two different things.<br><br>I'm not really sure. But I guess without authentication,<br>
Zope doesn't know if even zope.Public is allowed for this<br>user because you can deny permissions. But I'm also not sure<br>without to introspect the code if zope.Public can set as deny.<br><br>Hope that gives some hints for deep into the internals<br>
of IAuthentication. If you need a simpler implementation,<br>take a look at z3c.authenticator.<br><br><br>Regards<br><font color="#888888">Roger Ineichen<br></font>
<div>
<div></div>
<div class="Wj3C7c"><br>><br>> On Tue, 2008-07-08 at 22:52 -0700, Shailesh Kumar wrote:<br>> > Did you try the resourceDirecotry ZCML directive?<br>> ><br>> > <browser:resourceDirectory<br>> ><br>
> > name="js"<br>> ><br>> > directory="resource/js"<br>> ><br>> > layer=".interfaces.IBatonSkin"<br>> ><br>> > /><br>> > that way they don't need the authentication overhead.<br>
><br>> Thanks for the replies, everyone. This is what I currently<br>> have as an example of a resource I'm fetching:<br>><br>> <resourceDirectory<br>> name="ajs"<br>> directory="ajs"<br>
> layer="vortex.layer.IVortexBrowserLayer"<br>> permission="zope.Public"<br>> /><br>><br>> But if I try to access one of these resources directly from the web,<br>> e.g.:<br>
><br>> http://.../@@/ajs/gb_styles.css<br>><br>> I still get my authentication code being called. I've tracked<br>> it down this far:<br>><br>> (zope.app.publication:<a href="http://zope.publication.py/" target="_blank">zope.publication.py</a>)<br>
><br>> def _maybePlacefullyAuthenticate(self, request, ob):<br>> if not<br>> IUnauthenticatedPrincipal.providedBy(request.principal):<br>> # We've already got an authenticated user.<br>
> There's nothing to do.<br>> # Note that beforeTraversal guarentees that user<br>> is not None.<br>> return<br>><br>> if not ISite.providedBy(ob):<br>> # We won't find an authentication utility here,<br>
> so give up.<br>> return<br>><br>> sm = removeSecurityProxy(ob).getSiteManager()<br>><br>> auth = sm.queryUtility(IAuthentication)<br>> if auth is None:<br>> # No auth utility here<br>
> return<br>><br>> # Try to authenticate against the auth utility<br>> principal = auth.authenticate(request) <!----- My<br>> PAU called<br>> here<br>><br>> Any ideas ?<br>
><br>> Cheers, Andrew.<br>><br><br>_______________________________________________<br>Zope3-users mailing list<br><a href="mailto:Zope3-users@zope.org">Zope3-users@zope.org</a><br><a href="http://mail.zope.org/mailman/listinfo/zope3-users" target="_blank">http://mail.zope.org/mailman/listinfo/zope3-users</a><br>
</div></div></blockquote></div><br>