[Zope] NotFound (404) and Unauthorized (401) error page redirects

Jamie Heilman jamie@audible.transient.net
Mon, 2 Dec 2002 16:21:18 -0800


> I need some advice on how to create an Unauthorized (401) error page 
> redirect.

My advice is, don't.  Raising a 3xx in the handler for a 401 is
misleading, and as you found out, doesn't result in the behavior you
might expect.
 
> I've discovered how to create a NotFound (404) error page redirect by 
> adding the following code to the top of the "standard_error_message" 
> DTML method, which is located in the root folder...
> 
> <dtml-if "error_type=='NotFound'">
> <dtml-call expr="RESPONSE.redirect('/notfound.html', lock=1)">
> </dtml-if>

Don't do this either.

> However, when I replace 'NotFound' with 'Unauthorized' (--please DO NOT 
> try this on your production Zope server--), anyone who tries to log 
> into the Zope management interface (ZopeServer/manage) is redirected to 
> the unauthorized page.

Yep, thats how its supposed to work.

When you require authentication to access a URI your web server will
respond to requests for that resource with a 401 Authorization
Required response.  That response is allowed to have a content body,
and when you use Apache's ErrorDocument directive you are defining
what you want that content to be.  Same thing applies for Zope,
whatever you want the content of a 401 to be, you must respond with.

<dtml-if expr="error_type == 'Unauthorized'">
 <html><head><title>401 Authorization Required</title></head><body>blah blah
 </body></html>
</dtml-if>

(obviously you can use DTML or TAL to reply with something more
complicated than static content)

Many browsers choose to capture the 401 response and delay showing it,
instead prompting for authentication and only finally showing the
actualy content of the 401 once the user has decided to cancel the
authentication dialog.  By masking 4xx errors with 3xx redirects in
your error handler you're really creating more problems than you
solve.  Use the error handler to dole out the content to the client
directly, don't try to send the client elsewhere to go get it.

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
 next to you may not be who they appear to be, so take precaution."
						-Sathington Willoughby