[Zope-PAS] [RFC] PAS extractor failure behavior
regebro at nuxeo.com
Tue Nov 23 05:38:53 EST 2004
Jens Vagelpohl wrote:
> Right now, if the CookieAuthHelper is set up to challenge and extract
> and for some reason the login_form itself is unreachable (meaning, the
> Anonymous User is somehow not authorized to view it) we end up in a
> redirect loop. I have code that fixes that which I will check in
> shortly. With the fix the CookieAuthHelper can detect the situation and
> returns "0" from unauthorized.
> My question is about the "fallback" behavior in PAS._extractCredentials.
> If there were registered extractors but they all failed to return
> anything (like when the CookieAuthHelper gives up in the scenario above)
> a "emergency extractor" is used. So I get a standard auth box, but only
> emergency users can log in. Why can't this be a normal DumbHTTPExtractor
> that accepts any valid credentials instead?
This should only happen if something is incorrectly configured, and in
that case the only one you want to login is the emergency user, so you
can fix it. The reason is that you don't want a sudden error to break
the sequrity requirements you have. If you for example normally do not
allow SimpleAuth, you don't want it to suddenly become implicitly
allowed because there is an error.
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
More information about the Zope-PAS