Hi there,
In Zope auth we have this cool (and I'm being serious here!) idea that
authentication and authorisation are seperate things. So I'm confused as
to why an authorization failure returns a 401 and not a 403.
My understanding is as follows:
1. anonymous request comes in for url that is not anonymously viewable
2. zope replies with a 401 requesting authentication information
3. browser supplies previous request but with auth headers
4. zope authenticates user (see Sidnei's mail about this part)
5. zope authroizes user
5.1. auth succeeds, zope publishes object
5.2. auth fails, zope returns a 401
Now, 5.2 is where I have the problem, since raising unauthorized
anywhere in Zope traditionally pops up a basic auth box rather than
returning standard_error_message with a 403 response which, as time goes
by, I'm starting to think is what should really happen.
The only reason I can think for the current behaviour is that it allows
you to try another username/password if the current one doesn't have the
correct level of authorization. Nowadays, most browsers allow you to
drop basic auth headers, and for IE users, they can just fire up a new
browser instance.
Out of interest, CookieCrumbler changes this behaviour by patching
things, this is how Plone ends up behaving as I suggest above (although
probably not returning a 403 as it should!)
This all leaves me with a few questions:
1. Should things change to work as I describe?
2. Is the above behaviour pluggable at all?
3. How does PAS handle failover from one authentication plugin to the next?
4. What kicks off the authentication process in Zope? Something being
anonymously viewable or credentials being found in the request?
cheers,
Chris
PS: I suspect the answer to 4 varies depending on the type of auth :-(
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders
In Zope auth we have this cool (and I'm being serious here!) idea that
authentication and authorisation are seperate things. So I'm confused as
to why an authorization failure returns a 401 and not a 403.
My understanding is as follows:
1. anonymous request comes in for url that is not anonymously viewable
2. zope replies with a 401 requesting authentication information
3. browser supplies previous request but with auth headers
4. zope authenticates user (see Sidnei's mail about this part)
5. zope authroizes user
5.1. auth succeeds, zope publishes object
5.2. auth fails, zope returns a 401
Now, 5.2 is where I have the problem, since raising unauthorized
anywhere in Zope traditionally pops up a basic auth box rather than
returning standard_error_message with a 403 response which, as time goes
by, I'm starting to think is what should really happen.
The only reason I can think for the current behaviour is that it allows
you to try another username/password if the current one doesn't have the
correct level of authorization. Nowadays, most browsers allow you to
drop basic auth headers, and for IE users, they can just fire up a new
browser instance.
Out of interest, CookieCrumbler changes this behaviour by patching
things, this is how Plone ends up behaving as I suggest above (although
probably not returning a 403 as it should!)
This all leaves me with a few questions:
1. Should things change to work as I describe?
2. Is the above behaviour pluggable at all?
3. How does PAS handle failover from one authentication plugin to the next?
4. What kicks off the authentication process in Zope? Something being
anonymously viewable or credentials being found in the request?
cheers,
Chris
PS: I suspect the answer to 4 varies depending on the type of auth :-(
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders