On Dec 8, 2005, at 10:58 AM, Sidnei da Silva wrote:

On Thu, Dec 08, 2005 at 10:11:46AM -0500, Gary Poster wrote:
| ...

Sounds good to me.


Only one issue that you should have in mind, and that has bitten me
several times with the Zope 2 PluggableAuthService is the following:

If you use the 'HTTPBasicAuthHelper' for login, that doesn't mean you
can use it for logout. That is specially true if you happen to use the
'CookieAuthHelper', which translates cookie-based credentials to http

What happens is that it in PAS, if you call logout() it will call all
the 'ICredentialsReset', however if the HTTPBasicHelper happens
to be one of those, it will raise a 'Unauthorized' exception, because
that's how you log someone out using http basic auth, and then two
things happen:

1. The cookie credentials don't get erased because of the Unathorized
2. Any plugins that happened to be enabled for ICredentialsReset won't

Thanks: that is interesting, and answers some idle questions I had lying around in my head.

In the case of the Zope 3 pluggable auth, though, there are a number of reasons why this (currently) doesn't come into play. A particularly pertinent reason is that the default basic auth plug-in doesn't do the 'raise Unauthorized' trick--it just rolls over and plays dead (i.e., 'pass'). Logging out is effectively not available if you are logged in via the standard basic auth. This is a case in which you would not want to offer 'log out' in the UI (or you'd want to work out some other compromise).

Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to