I wrote:

I want to use pau, with session (cookie) based authentication. No basic authentication.

The problem is, when the pau is activated, the zope.manager defined in zcml seems to be no longer accessible, effectively locking me out of the zmi.

What I think is happening is the pau appends a prefix to the principal name, so that the principal, instead of being "zope.manager", becomes "prefixzope.manager", which has no permissions anywhere.

I think my choices are the following.

1. make pau always look (last) in principalRegistry and return a non-prefixed principal if found and validated 2. have my authentication plugin look in principalRegistry and assign the same roles for the principals found in principalRegistry, but with the pau prefix. This would happen when the plugin is created or on demand. 3. provide methods for my authentication plugin to generate an emergency user for one of its valid principals

Or did I miss something in the documentation that gets around this?

Apparently not? So, I am going to choose door #3. It should be pretty simple. The main hazard is getting it wrong, which will require some amusing spelunking with the debugger to deactivate the utility if there is anything important in the ZODB. On the good side, it will prep me for the next project, which I think will require ldap.

-Jim Washington

Zope3-users mailing list

Reply via email to