[Zope-PAS] [RFC] PAS extractor failure behavior

Lennart Regebro regebro at nuxeo.com
Tue Nov 23 05:38:53 EST 2004


Jens Vagelpohl wrote:
> Right now, if the CookieAuthHelper is set up to challenge and extract 
> and for some reason the login_form itself is unreachable (meaning, the 
> Anonymous User is somehow not authorized to view it) we end up in a 
> redirect loop. I have code that fixes that which I will check in 
> shortly. With the fix the CookieAuthHelper can detect the situation and 
> returns "0" from unauthorized.
> 
> My question is about the "fallback" behavior in PAS._extractCredentials. 
> If there were registered extractors but they all failed to return 
> anything (like when the CookieAuthHelper gives up in the scenario above) 
> a "emergency extractor" is used. So I get a standard auth box, but only 
> emergency users can log in. Why can't this be a normal DumbHTTPExtractor 
> that accepts any valid credentials instead?

This should only happen if something is incorrectly configured, and in 
that case the only one you want to login is the emergency user, so you 
can fix it. The reason is that you don't want a sudden error to break 
the sequrity requirements you have. If you for example normally do not 
allow SimpleAuth, you don't want it to suddenly become implicitly 
allowed because there is an error.

-- 
Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/


More information about the Zope-PAS mailing list