On Sat, 9 Nov 2002, Grant K Rauscher wrote:
> > This is how the HTTP 1/1 specification requires it to be.
> > Your browser follows this spec.
> Dieter,
>     I understand the HTTP spec... but ZOPE does not work that way.
>     I can use methods which require roles above where I logged in.  The
> methods used for returning the roles themselves do not correlate with ZOPE's
> own actions.  Therefore ZOPE has an internal inconsistency regarding user
> authentication with basic HTTP authorization.

Zope has one security policy (you are authed from the user folder
you appear in on down), but basic auth has a different one that
requires that the browser only *send* the auth credentials at the
folder you *log in at* and down.  So if you've logged in at the
"below" location, and subsequently visit a location between the
user folder and the log in point, the *browser* will not *send* the
auth credentials, so you are anonymous.  If you then auth on that
new (higher) page, the browser will start sending the auth credentials.


PS: it seems to me that not all browsers obey this, or perhaps some
send the auth for the higher level folders if challenged and if it
works don't prompt the user.

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to