AW: [Zope3-Users] Disabling authentication for resources

Roger Ineichen dev at projekt01.ch
Wed Jul 9 20:44:08 EDT 2008 

Hi Andrew

> Betreff: Re: [Zope3-Users] Disabling authentication for resources

[...]

I guess bypass the authentication process is not supported for
zope.Public protected objects.
 
Zope does authenticate the user. And later it checks security
for the object based on that user (authorization).

zope.Public is correct for public access, but it doesn't mean 
the user get not authenticated. Remember authentication and
authorization are two different things.

I'm not really sure. But I guess without authentication, 
Zope doesn't know if even zope.Public is allowed for this 
user because you can deny permissions. But I'm also not sure
without to introspect the code if zope.Public can set as deny.

Hope that gives some hints for deep into the internals
of IAuthentication. If you need a simpler implementation,
take a look at z3c.authenticator.


Regards
Roger Ineichen

> 
> On Tue, 2008-07-08 at 22:52 -0700, Shailesh Kumar wrote:
> > Did you try the resourceDirecotry ZCML directive? 
> >  
> > <browser:resourceDirectory
> > 
> > name="js"
> > 
> > directory="resource/js"
> > 
> > layer=".interfaces.IBatonSkin"
> > 
> > />
> > that way they don't need the authentication overhead. 
> 
> Thanks for the replies, everyone. This is what I currently 
> have as an example of a resource I'm fetching:
> 
>   <resourceDirectory
>       name="ajs"
>       directory="ajs"
>       layer="vortex.layer.IVortexBrowserLayer"
>       permission="zope.Public"
>       />
> 
> But if I try to access one of these resources directly from the web,
> e.g.:
> 
> http://.../@@/ajs/gb_styles.css
> 
> I still get my authentication code being called. I've tracked 
> it down this far:
> 
> (zope.app.publication:zope.publication.py)
> 
>     def _maybePlacefullyAuthenticate(self, request, ob):
>         if not 
> IUnauthenticatedPrincipal.providedBy(request.principal):
>             # We've already got an authenticated user. 
> There's nothing to do.
>             # Note that beforeTraversal guarentees that user 
> is not None.
>             return
> 
>         if not ISite.providedBy(ob):
>             # We won't find an authentication utility here, 
> so give up.
>             return
> 
>         sm = removeSecurityProxy(ob).getSiteManager()
> 
>         auth = sm.queryUtility(IAuthentication)
>         if auth is None:
>             # No auth utility here
>             return
> 
>         # Try to authenticate against the auth utility
>         principal = auth.authenticate(request)    <!----- My 
> PAU called
> here
> 
> Any ideas ?
> 
> Cheers, Andrew.
>

More information about the Zope3-users mailing list