On Jul 10, 2008, at 6:47 AM, andrew wrote:

On Thu, 2008-07-10 at 02:44 +0200, Roger Ineichen wrote:
I guess bypass the authentication process is not supported for
zope.Public protected objects.

Zope does authenticate the user. And later it checks security
for the object based on that user (authorization).

zope.Public is correct for public access, but it doesn't mean
the user get not authenticated. Remember authentication and
authorization are two different things.

I'm not really sure. But I guess without authentication,
Zope doesn't know if even zope.Public is allowed for this
user because you can deny permissions. But I'm also not sure
without to introspect the code if zope.Public can set as deny.

Hope that gives some hints for deep into the internals
of IAuthentication. If you need a simpler implementation,
take a look at z3c.authenticator.

That's great, thanks Roger. That's a good point that authentication and
authorization are different things. So, it would seem that there's no
easy way to avoid the authentication process altogether, so I'll just
hope that the overhead is not too great :-)

we have a special IAuthentication plugin that accepts regular expressions for public urls, if the regex matches we just return None in authenticate - so the principal is the anonymous user. No principal lookup needs to be done.

sorry, but the code is not open-source, but it should be easy to implement

cheers, bernd

Cheers, Andrew.

Zope3-users mailing list

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Zope3-users mailing list

Reply via email to