Sidnei da Silva wrote:
| Now, 5.2 is where I have the problem, since raising unauthorized | anywhere in Zope traditionally pops up a basic auth box rather than | returning standard_error_message with a 403 response which, as time goes | by, I'm starting to think is what should really happen.

Yes! That too.

| 1. Should things change to work as I describe?

I would think so.

OK, but I would prefer more opinions on this, so moving to [EMAIL PROTECTED]


| 2. Is the above behaviour pluggable at all?

Not at all.

Should it be? Can it be without impacting on performance?

| 3. How does PAS handle failover from one authentication plugin to the next?

/me leaves slot for PAS experts to fill

...

| 4. What kicks off the authentication process in Zope? Something being | anonymously viewable or credentials being found in the request?

I've been looking at BaseRequest.traverse(). Basically, it tries to
validate REQUEST._auth,

What does? And what does validate mean in this context?

being it set or not *wink* (when using

Right, and that was the source of the other thread?

CookieCrumbler it's this variable is set from the cookie value) and
that may result in a valid user or 'Anonymous User'.

Yeah, but how does CookieCrumbler stop a basic auth box being popped to the user when things aren't authorized?


| PS: I suspect the answer to 4 varies depending on the type of auth :-(

I don't think so.

CookieCrumbler vs Everything Else: I think it does...

Chris

--
Simplistix - Content Management, Zope & Python Consulting
           - http://www.simplistix.co.uk
_______________________________________________
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas

Reply via email to