Hi there,

In Zope auth we have this cool (and I'm being serious here!) idea that authentication and authorisation are seperate things. So I'm confused as to why an authorization failure returns a 401 and not a 403.

My understanding is as follows:

1. anonymous request comes in for url that is not anonymously viewable
2. zope replies with a 401 requesting authentication information
3. browser supplies previous request but with auth headers
4. zope authenticates user (see Sidnei's mail about this part)
5. zope authroizes user
5.1. auth succeeds, zope publishes object
5.2. auth fails, zope returns a 401

Now, 5.2 is where I have the problem, since raising unauthorized anywhere in Zope traditionally pops up a basic auth box rather than returning standard_error_message with a 403 response which, as time goes by, I'm starting to think is what should really happen.

The only reason I can think for the current behaviour is that it allows you to try another username/password if the current one doesn't have the correct level of authorization. Nowadays, most browsers allow you to drop basic auth headers, and for IE users, they can just fire up a new browser instance.

Out of interest, CookieCrumbler changes this behaviour by patching things, this is how Plone ends up behaving as I suggest above (although probably not returning a 403 as it should!)

This all leaves me with a few questions:

1. Should things change to work as I describe?

2. Is the above behaviour pluggable at all?

3. How does PAS handle failover from one authentication plugin to the next?

4. What kicks off the authentication process in Zope? Something being anonymously viewable or credentials being found in the request?



PS: I suspect the answer to 4 varies depending on the type of auth :-(

Simplistix - Content Management, Zope & Python Consulting
           - http://www.simplistix.co.uk
Zope-PAS mailing list

Reply via email to