[Zope3-dev] Re: PAS vs pluggableauth

Tres Seaver tseaver at zope.com
Wed Sep 8 13:47:49 EDT 2004 

Lennart Regebro wrote:

> I did PluggableUserFolder partly as a "Zope 3 excersize" to see what was 
> needed of an authentication service. What I learned was pretty much the 
> same things as you mentioned (and also that I needed more granularity in 
> my plugins, I needed special serachplugins and special property plugins 
> and such). PAS, although not 100% mature yet (but going there fast) 
> solves all those issues.
> 
> The only issues I currently have standing are these:
> 
> 1. Currently, the challenge plugins can only create a challenge by 
> redirecting. This is because of a Zope2 limitation 
> (response.unauthorized is assumed to raise an exception) and is not a 
> problem with PAS itself.

Making 'response.unauthorized' *not* raise would break a bunch of 
third-party code.  In Zope3, the only way application code signals the 
same condition is to raise Unauthorized directly.

> Also, PAS will hook into _before_traverse_ do 
> support the challenge-mechanism.

That is at the service level (so that the service can guarantee that it 
has a crack at issuing the challenge).  The individual challenge plugins 
have a more focused responsibility:  they get handed the response 
object, and are supposed to scribble on it to cause the challenge to occur.

> That probably means that the challenge 
> interface for Zope2 PAS and Zope3 PAS may be different.

I don't think so.

> Other than that, 
> it would be possible to write plugins that work both in Zope 2 and Zope 
> 3, which would be a nice feature.

Sure.

> 2. We have a bit of a problem in matching the extracted credentials with 
> a particular user, becuse the extraction of credentials are done by one 
> plugin, the validation of the credentials by a second, and the 
> enumeration of users by a third.
> As it is just right now, the validation and enumeration plugin must be 
> the same. And since the validation and extraction plugins must 
> understand each other, they must basically ALSO be the same.

No, they need not.  The dependency is on the contents of the credentials 
extracted.  You could, for instance, use the same CookieAuth extractor 
with multiple authenticator plugins (we do this all the time).  The 
enumerator plugin can be separate from the authenticator, but must often 
have knowledge of the various authenticators (because the user ID 
depends on the authenticator).

> Which means 
> that extraction, validation and enumeration plugins must be the same. 
> Which means that yo can't use LDAP with CAS, for example, unless you 
> write an CASwithLDAP plugin, which of course kills the whole idea of 
> having plugins in the first place. This needs to be resolved.

Not so.  For instance, we currently do shibboleth (for extraction / 
authentication) with LDAP (for user groups, properties, etc.).

> Other than that, PAS is fine, and I think moving it into Zope 3 is a 
> good idea. Although maybe you should help to get this last PAS issue 
> ironed out first, or wait for us to do it. ;)


Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com

More information about the Zope3-dev mailing list