[Zope-PAS] [RFC] PAS extractor failure behavior

Jens Vagelpohl jens at dataflake.org
Tue Nov 23 06:07:32 EST 2004

>> My question is about the "fallback" behavior in 
>> PAS._extractCredentials. If there were registered extractors but they 
>> all failed to return anything (like when the CookieAuthHelper gives 
>> up in the scenario above) a "emergency extractor" is used. So I get a 
>> standard auth box, but only emergency users can log in. Why can't 
>> this be a normal DumbHTTPExtractor that accepts any valid credentials 
>> instead?
> This should only happen if something is incorrectly configured, and in 
> that case the only one you want to login is the emergency user, so you 
> can fix it. The reason is that you don't want a sudden error to break 
> the sequrity requirements you have. If you for example normally do not 
> allow SimpleAuth, you don't want it to suddenly become implicitly 
> allowed because there is an error.

You're right, that makes a lot of sense. The specific problem here, the 
failure of the CookieAuthHelper to provide the login_form to Anonymous, 
is indeed a sign of misconfiguration.


More information about the Zope-PAS mailing list