Re: AW: [Zope3-Users] Disabling authentication for resources
On Jul 10, 2008, at 6:47 AM, andrew wrote: On Thu, 2008-07-10 at 02:44 +0200, Roger Ineichen wrote: I guess bypass the authentication process is not supported for zope.Public protected objects. Zope does authenticate the user. And later it checks security for the object based on that user (authorization). zope.Public is correct for public access, but it doesn't mean the user get not authenticated. Remember authentication and authorization are two different things. I'm not really sure. But I guess without authentication, Zope doesn't know if even zope.Public is allowed for this user because you can deny permissions. But I'm also not sure without to introspect the code if zope.Public can set as deny. Hope that gives some hints for deep into the internals of IAuthentication. If you need a simpler implementation, take a look at z3c.authenticator. That's great, thanks Roger. That's a good point that authentication and authorization are different things. So, it would seem that there's no easy way to avoid the authentication process altogether, so I'll just hope that the overhead is not too great :-) we have a special IAuthentication plugin that accepts regular expressions for public urls, if the regex matches we just return None in authenticate - so the principal is the anonymous user. No principal lookup needs to be done. sorry, but the code is not open-source, but it should be easy to implement cheers, bernd Cheers, Andrew. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users smime.p7s Description: S/MIME cryptographic signature ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: AW: [Zope3-Users] Disabling authentication for resources
On Thu, 2008-07-10 at 02:44 +0200, Roger Ineichen wrote: > I guess bypass the authentication process is not supported for > zope.Public protected objects. > > Zope does authenticate the user. And later it checks security > for the object based on that user (authorization). > > zope.Public is correct for public access, but it doesn't mean > the user get not authenticated. Remember authentication and > authorization are two different things. > > I'm not really sure. But I guess without authentication, > Zope doesn't know if even zope.Public is allowed for this > user because you can deny permissions. But I'm also not sure > without to introspect the code if zope.Public can set as deny. > > Hope that gives some hints for deep into the internals > of IAuthentication. If you need a simpler implementation, > take a look at z3c.authenticator. That's great, thanks Roger. That's a good point that authentication and authorization are different things. So, it would seem that there's no easy way to avoid the authentication process altogether, so I'll just hope that the overhead is not too great :-) Cheers, Andrew. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Disabling authentication for resources
Hi, I have couple of following settings in my etc\securitypolicy.zcml I didn't use zope.Public on my resource directories. still able to acess them. I use the older zope 3.3 zope instances. Not sure if this helps you. With regards, - Shailesh On Wed, Jul 9, 2008 at 5:44 PM, Roger Ineichen <[EMAIL PROTECTED]> wrote: > Hi Andrew > > > Betreff: Re: [Zope3-Users] Disabling authentication for resources > > [...] > > I guess bypass the authentication process is not supported for > zope.Public protected objects. > > Zope does authenticate the user. And later it checks security > for the object based on that user (authorization). > > zope.Public is correct for public access, but it doesn't mean > the user get not authenticated. Remember authentication and > authorization are two different things. > > I'm not really sure. But I guess without authentication, > Zope doesn't know if even zope.Public is allowed for this > user because you can deny permissions. But I'm also not sure > without to introspect the code if zope.Public can set as deny. > > Hope that gives some hints for deep into the internals > of IAuthentication. If you need a simpler implementation, > take a look at z3c.authenticator. > > > Regards > Roger Ineichen > > > > > On Tue, 2008-07-08 at 22:52 -0700, Shailesh Kumar wrote: > > > Did you try the resourceDirecotry ZCML directive? > > > > > > > > > > > name="js" > > > > > > directory="resource/js" > > > > > > layer=".interfaces.IBatonSkin" > > > > > > /> > > > that way they don't need the authentication overhead. > > > > Thanks for the replies, everyone. This is what I currently > > have as an example of a resource I'm fetching: > > > >> name="ajs" > > directory="ajs" > > layer="vortex.layer.IVortexBrowserLayer" > > permission="zope.Public" > > /> > > > > But if I try to access one of these resources directly from the web, > > e.g.: > > > > http://.../@@/ajs/gb_styles.css > > > > I still get my authentication code being called. I've tracked > > it down this far: > > > > (zope.app.publication:zope.publication.py) > > > > def _maybePlacefullyAuthenticate(self, request, ob): > > if not > > IUnauthenticatedPrincipal.providedBy(request.principal): > > # We've already got an authenticated user. > > There's nothing to do. > > # Note that beforeTraversal guarentees that user > > is not None. > > return > > > > if not ISite.providedBy(ob): > > # We won't find an authentication utility here, > > so give up. > > return > > > > sm = removeSecurityProxy(ob).getSiteManager() > > > > auth = sm.queryUtility(IAuthentication) > > if auth is None: > > # No auth utility here > > return > > > > # Try to authenticate against the auth utility > > principal = auth.authenticate(request)
AW: [Zope3-Users] Disabling authentication for resources
Hi Andrew > Betreff: Re: [Zope3-Users] Disabling authentication for resources [...] I guess bypass the authentication process is not supported for zope.Public protected objects. Zope does authenticate the user. And later it checks security for the object based on that user (authorization). zope.Public is correct for public access, but it doesn't mean the user get not authenticated. Remember authentication and authorization are two different things. I'm not really sure. But I guess without authentication, Zope doesn't know if even zope.Public is allowed for this user because you can deny permissions. But I'm also not sure without to introspect the code if zope.Public can set as deny. Hope that gives some hints for deep into the internals of IAuthentication. If you need a simpler implementation, take a look at z3c.authenticator. Regards Roger Ineichen > > On Tue, 2008-07-08 at 22:52 -0700, Shailesh Kumar wrote: > > Did you try the resourceDirecotry ZCML directive? > > > > > > > name="js" > > > > directory="resource/js" > > > > layer=".interfaces.IBatonSkin" > > > > /> > > that way they don't need the authentication overhead. > > Thanks for the replies, everyone. This is what I currently > have as an example of a resource I'm fetching: > > name="ajs" > directory="ajs" > layer="vortex.layer.IVortexBrowserLayer" > permission="zope.Public" > /> > > But if I try to access one of these resources directly from the web, > e.g.: > > http://.../@@/ajs/gb_styles.css > > I still get my authentication code being called. I've tracked > it down this far: > > (zope.app.publication:zope.publication.py) > > def _maybePlacefullyAuthenticate(self, request, ob): > if not > IUnauthenticatedPrincipal.providedBy(request.principal): > # We've already got an authenticated user. > There's nothing to do. > # Note that beforeTraversal guarentees that user > is not None. > return > > if not ISite.providedBy(ob): > # We won't find an authentication utility here, > so give up. > return > > sm = removeSecurityProxy(ob).getSiteManager() > > auth = sm.queryUtility(IAuthentication) > if auth is None: > # No auth utility here > return > > # Try to authenticate against the auth utility > principal = auth.authenticate(request)
Re: [Zope3-Users] Disabling authentication for resources
Hi All, On Tue, 2008-07-08 at 22:52 -0700, Shailesh Kumar wrote: > Did you try the resourceDirecotry ZCML directive? > > > name="js" > > directory="resource/js" > > layer=".interfaces.IBatonSkin" > > /> > that way they don't need the authentication overhead. Thanks for the replies, everyone. This is what I currently have as an example of a resource I'm fetching: But if I try to access one of these resources directly from the web, e.g.: http://.../@@/ajs/gb_styles.css I still get my authentication code being called. I've tracked it down this far: (zope.app.publication:zope.publication.py) def _maybePlacefullyAuthenticate(self, request, ob): if not IUnauthenticatedPrincipal.providedBy(request.principal): # We've already got an authenticated user. There's nothing to do. # Note that beforeTraversal guarentees that user is not None. return if not ISite.providedBy(ob): # We won't find an authentication utility here, so give up. return sm = removeSecurityProxy(ob).getSiteManager() auth = sm.queryUtility(IAuthentication) if auth is None: # No auth utility here return # Try to authenticate against the auth utility principal = auth.authenticate(request)
Re: [Zope3-Users] Disabling authentication for resources
On Tuesday 08 July 2008, andrew wrote: > I've got a web application that uses pluggable authentication, but I > don't want the overhead of authentication for public resources like CSS, > javascript, images, etc. Is it possible to just disable authentication > for a given resource ? I tried just setting the permission to zope.View, > but that didn't seem to make any difference. You have to set the permission to zope.Public. It is a special permission that, when seen, bypasses the security context lookup. Regards, Stephan -- Stephan Richter Web Software Design, Development and Training Google me. "Zope Stephan Richter" ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Disabling authentication for resources
Did you try the resourceDirecotry ZCML directive? that way they don't need the authentication overhead. On 7/8/08, andrew <[EMAIL PROTECTED]> wrote: > > Hi All, > > I've got a web application that uses pluggable authentication, but I > don't want the overhead of authentication for public resources like CSS, > javascript, images, etc. Is it possible to just disable authentication > for a given resource ? I tried just setting the permission to zope.View, > but that didn't seem to make any difference. > > Cheers, Andrew. > > ___ > Zope3-users mailing list > Zope3-users@zope.org > http://mail.zope.org/mailman/listinfo/zope3-users > ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
[Zope3-Users] Disabling authentication for resources
Hi All, I've got a web application that uses pluggable authentication, but I don't want the overhead of authentication for public resources like CSS, javascript, images, etc. Is it possible to just disable authentication for a given resource ? I tried just setting the permission to zope.View, but that didn't seem to make any difference. Cheers, Andrew. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users