[Zope-PAS] Challengers (and Zope 3)

Mark Hammond mhammond at skippinet.com.au
Fri Oct 1 23:34:26 EDT 2004


> > So somehow I need to remember the credentials on a
> > per-connection basis.  At the moment, the example has
> > localized (presumably Zope2 specific) code that sticks
> > objects directly in the asynchat channel object!

> One easy way would be to use the credentials to authenticate,
> but then remember who the user is with a session...

Unfortunately, I really want to keep the authentication object around, and
that object can not be pickled.  Keeping the object means I can impersonate
the user on the server, which can be a very useful thing to do.  I was
struggling to store it anywhere "normal" due to the fact it can't be
pickled.

In another mail:

> Check these challenge methods out:
>
> 0. WWW-Authenticate: Negotiate
> 1. WWW-Authenticate: Basic
> 2. WWW-Authenticate: NTLM
> 3. Redirecting to a login-page
> 4. Having an inline login-page
>
> It's hard to see any actual protocol definition that says "different
> protocols can not be mixed", since 0-2 can be mixed with 4,
> but they are not exactly the same protocol... unless you look at the
> response status.

I think that still works with Jim's idea.  Imagine a redirect based
challenger implemented like:

def challenge(self, request, response, protocol):
    if protocol is None:
        # No existing protocol - we prefer redirection
        response.redirect(login_page)
        return "redirect"
    elif protocol == "http":
        # HTTP challenger is above us in the list of plugins
        # Write the login page directly to the response body
        # (but no auth headers are set)
        set_login_body(response)
        return "http"
    # some other protocol we don't know about - do nothing.
    return protocol

An alternative would be to simply adopt Jim's idea, but
s/protocol/response_code/ - ie, the 'protocol' for HTTP based redirectors
could be 401.  This would clear up the semantics of who gets to set the
final response code (PAS itself could), but may also turn out to be less
flexible - there may be a case for having 2 different protocols, both of
which end up with a 401 response status, but which can not be used together.

At this stage though, I'd be happy with either scheme!

Mark.



More information about the Zope-PAS mailing list