[Zope-CMF] Auth problem, CMF, XML-RPC, ZCLASS

Brad Clements bkc@murkworks.com
Tue, 5 Mar 2002 16:38:24 -0500


I'm looking for any suggestions how to solve this problem. It's somewhat complicated. 
I'll try to be clear in explanation.

Sorry for the double post, I'm not sure if this is a CMF/cookie crumbler issue, or a Zope 
issue.

Zope 2.5.0 binary on RH Linux 7.1 with CMF beta 1.1 (will upgrade shortly, but I don't 
that's the issue).

Layout of items is like this:

/ (zope root)

  /AdkWood (folder)
 
     /CMF  (CMF Site)

        /Manage  (has javascript source and index_html for one-page web app)
        
        /Members (folder)
  
          /bkc (folder)
 
            /mycompany   (ZClass instance of SearchableCompany)

       /acl_users   (for CMF)

/acl_users (top level)

In Products/SearchableCompanyProduct/SearchableCompany/methods

    CompanyRequest_py  (python Script)

Program Description:

User navigates to /AdkWood/CMF/Manage  This is a protected folder so they must be 
an Owner or Manager.. Get the login form screen and can authenticate with either 
CMF/acl_users username or root /acl_users username. The problem occurs either 
way.


The Manage/index_html page template loads up lots of Javascript. It fills a select box 
with a list of URL paths to SearchableCompany Zclass instances that the user has the 
owner role on.

On the client, when the user selects one of these items, the client javascript builds an 
XML-RPC request by taking the URL path of the SearchableCompany and calling the 
CompanyRequest_py method on it via XML-RPC.

In Zope, after xmlrpc.py decodes the request, we get a path like:

/AdkWood/CMF/Members/bkc/mycompany/CompanyRequest_py

I can load the above URL in the same browser instance that had previously 
authenticated to Zope to get the /Manage/index_html page (cached cookie) and the 
request is processed correctly.

However when I use xml-rpc to call the method, I get an "Unauthorized, no 
authentication header found" error.

(about line 405 in BaseRequest.py)

if user is None and roles != UNSPECIFIED_ROLES:              
    response.unauthorized()

Lots of print statements later, I find that user is None, and roles = ['Owner','Manager']

Using tcpwatch.py, I see that the xml-rpc request DOES include the authentication 
cookie previously received through the login process. It just doesn't seem to be 
honored by the higher level old_validation() methods.

This is strange because the same browser instance, using the same cookie, can 
directly navigate to the same URL that the xml-rpc request is sending.

As a quick hack, I changed vxXMLRPC (the xml-rpc javascript client) to send Basic 
authentication information in every request. When I do this, the xml-rpc method does 
work. However I'd rather not use it this way.

So my question is.. Is it possible this is a cookie-crumbler issue because my Zclass 
instances are "inside" CMF, or is this somehow dependent on xml-rpc processing not 
working quite right on the server? Or, maybe this is related to authenticating first to

/CMF/Manager folder, but then using the same auth cookie through

/CMF/Members/...

However I think this wouldn't be an issue..

Brad Clements,                bkc@murkworks.com   (315)268-1000
http://www.murkworks.com                          (315)268-9812 Fax
AOL-IM: BKClements