I had to deal with this at some point and I wrote a PAS multiplugin that
implemented the "unauthorized" method (forget which interface that
belongs to)... here it is along with a helper method to figure out if a
request came from a DAV client:
""" Override cookieauthplugin unauthorized to deal properly
with DAV requests """
req = self.REQUEST
resp = req['RESPONSE']
# If we set the auth cookie before, delete it now.
# DAV clients/EE can't deal with form-based auth, so
# we give them a basic auth 401 response code
realm = resp.realm
'basic realm="%s"' % realm)
m = "You are not authorized to access this resource."
m = m + '<p>\nUsername and password are not
m = m + '<p>\nNo Authorization header found.'
# Redirect if desired.
url = self.getLoginURL()
if url is not None:
came_from = req.get('came_from', None)
if came_from is None:
came_from = req.get('URL', '')
query = req.get('QUERY_STRING')
if not query.startswith('?'):
query = '?' + query
came_from = came_from + query
# If came_from contains a value it means the user
# must be coming through here a second time
# Reasons could be typos when providing credentials
# or a redirect loop (see below)
req_url = req.get('URL', '')
if req_url and req_url == url:
# Oops... The login_form cannot be reached by the
# it might be protected itself due to
# the only sane thing to do is to give up because we
# in an endless redirect loop.
url = url + '?came_from=%s' % quote(came_from)
# Could not challenge.
def isDAVRequest(self, request):
method = request.get('REQUEST_METHOD', 'GET')
if method in DAV_METHODS:
if request.maybe_webdav_client and not method in ('GET',
useragent = request.get_header('User-Agent') or ''
for agent in DAV_USERAGENTS:
if useragent.find(agent) != -1:
On Thu, 2005-08-11 at 15:46 -0300, Sidnei da Silva wrote:
> So, leaving other issues aside *wink*, I'm no puzzled by the challenge
> code in PAS. It looks like there was some attempt at distinguishing
> challenging by some sort of 'protocol', but it leaves a lot to be
> desired, or I don't understand how it's supposed to work.
> The problem I'm facing now is that using the Cookie Auth plugin
> effectively breaks WebDAV (and possibly FTP and XML-RPC), because as
> soon as the Cookie Auth plugin is hit on challenge, it does a redirect
> to the login form.
> Changing the Cookie Auth to come after Basic Auth doesn't help either,
> as then instead of a browser client being directed to the login form
> it gets a basic auth dialog instead.
> Is it possible that nobody noticed this yet? Or is it just me not
> getting enough sleep last night?
Zope-PAS mailing list