[Zope-PAS] Challengers (and Zope 3)
Lennart Regebro
regebro at nuxeo.com
Thu Sep 30 05:45:44 EDT 2004
Jim Fulton wrote:
> Let me see if I can state this correctly and clearly. For
> lack of a better term, I'll say that there can be multiple
> protocols for making challenges. Examples of protocols include
> HTTP Authentication and Cookie-based authentication. There
> are undoubtably other protocols, although I don't know of
> any off hand. ;) Generally, protocols are not compatible with
> each other. (This is hard to say for sure, but for the protocols
> we have, this is the case. :). Therefore, we don't want to issue
> challenges for multiple protocols.
>
> Before I go any further, does this sound right? Is the statement above
> sensible and correct?
>
> Can people think of any other *real* protocols?
The protocols I know of would be:
- Returning a login-page
- Redirecting to a login-page
- WWW-Authenticate
Which of these are possible to mix depends on client implementation. For
example, here we notice that you can't put a redirect header and
authenticate header in one response:
http://www.webmasterworld.com/forum88/4907.htm
The meta tag *might* work but that's kinda ugly.
However, having a WWW-Authenticate: NTLM and a in-place login page would
probably work, and might be desired so not to have to fall back to the
unsecure Basic Auth.
Having several WWW-Authenticate headers usually seem to work, just try
putting in several WWW-Authenticate: Basic headers. Yup, you'll get
several login dialogs. ;) But that may not be considered mixing protocols...
So, you might say that one might want to mix protocols. But "we"
shouldn't do that, that is, PAS should not try to do that, it gets to
complicated. It is instead up to each single challenge-plugin to decide
what to do.
More information about the Zope-PAS
mailing list