| Now, 5.2 is where I have the problem, since raising unauthorized | anywhere in Zope traditionally pops up a basic auth box rather than | returning standard_error_message with a 403 response which, as time goes | by, I'm starting to think is what should really happen.
Yes! That too.
| 1. Should things change to work as I describe?
I would think so.
OK, but I would prefer more opinions on this, so moving to [EMAIL PROTECTED]
| 2. Is the above behaviour pluggable at all?
Not at all.
Should it be? Can it be without impacting on performance?
| 3. How does PAS handle failover from one authentication plugin to the next?
/me leaves slot for PAS experts to fill
...
| 4. What kicks off the authentication process in Zope? Something being | anonymously viewable or credentials being found in the request?
I've been looking at BaseRequest.traverse(). Basically, it tries to
validate REQUEST._auth,
What does? And what does validate mean in this context?
being it set or not *wink* (when using
Right, and that was the source of the other thread?
CookieCrumbler it's this variable is set from the cookie value) and that may result in a valid user or 'Anonymous User'.
Yeah, but how does CookieCrumbler stop a basic auth box being popped to the user when things aren't authorized?
| PS: I suspect the answer to 4 varies depending on the type of auth :-(
I don't think so.
CookieCrumbler vs Everything Else: I think it does...
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk _______________________________________________ Zope-PAS mailing list Zope-PAS@zope.org http://mail.zope.org/mailman/listinfo/zope-pas