On Jul 10, 2008, at 6:47 AM, andrew wrote:
On Thu, 2008-07-10 at 02:44 +0200, Roger Ineichen wrote:I guess bypass the authentication process is not supported for zope.Public protected objects. Zope does authenticate the user. And later it checks security for the object based on that user (authorization). zope.Public is correct for public access, but it doesn't mean the user get not authenticated. Remember authentication and authorization are two different things. I'm not really sure. But I guess without authentication, Zope doesn't know if even zope.Public is allowed for this user because you can deny permissions. But I'm also not sure without to introspect the code if zope.Public can set as deny. Hope that gives some hints for deep into the internals of IAuthentication. If you need a simpler implementation, take a look at z3c.authenticator.That's great, thanks Roger. That's a good point that authentication andauthorization are different things. So, it would seem that there's no easy way to avoid the authentication process altogether, so I'll just hope that the overhead is not too great :-)
we have a special IAuthentication plugin that accepts regular expressions for public urls, if the regex matches we just return None in authenticate - so the principal is the anonymous user. No principal lookup needs to be done.
sorry, but the code is not open-source, but it should be easy to implement
cheers, bernd
Cheers, Andrew. _______________________________________________ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users