d-maurer
commented
5 years ago Jürgen Gmach wrote at 2019-8-14 00:05 -0700:
When configuring PAS (for the first time ever) I tried to run both cookie based auth and basic auth.
Depending on the order at "Challenge Plugins" either the one or the other worked - but they were not checked sequentially - which was the behaviour I expected after reading about PAS the first time (tests were done both with chrome and firefox on ubuntu 18.04 - which in case of cookie based login set as first prio and sending credentials issued a warning about sending credentials without challenge - login did not work then).
Thinking about it again, it seems reasonable that the challenge mechanism either sends a response for basic auth or redirects to a login page.
The solution then was to create a "Challenge Protocol Chooser Plugin" instance and set cookie based auth for browser and basic auth for xml rpc lib (which is my use case).
Is there anything I overlook? Isn't it possible to have both methods active at the same time for the browser?
This is not possible.
The challenge plugin initiates a user (client) interaction. Which one must be decided before the challenge happens. Whether a challenge succeeds can only be determined in a followup request (after the user interaction). Therefore, for the challenge operation, you cannot have a chain of candidates which are tried until on succeeds.
You can think of it this way: as a user, you want to see either a browser login request (as reponse to a basic http challenge) or a login form (as response to the cookie challenge) but you do not want to see both.
jugmac00
When configuring PAS (for the first time ever) I tried to run both cookie based auth and basic auth.
Depending on the order at "Challenge Plugins" either the one or the other worked - but they were not checked sequentially - which was the behaviour I expected after reading about PAS the first time (tests were done both with chrome and firefox on ubuntu 18.04 - which in case of cookie based login set as first prio and sending credentials issued a warning about sending credentials without challenge - login did not work then).
Thinking about it again, it seems reasonable that the challenge mechanism either sends a response for basic auth or redirects to a login page.
The solution then was to create a "Challenge Protocol Chooser Plugin" instance and set cookie based auth for browser and basic auth for xml rpc lib (which is my use case).
Is there anything I overlook? Isn't it possible to have both methods active at the same time for the browser?
The old login system of my legacy system, which uses SimpleUserFolder/CMFCore/CookieCrumbler, worked with cookie based login for browser and basic auth for xml rpc lib out of the box, without configuring.
Either way - the documentation should be updated - I just wait for feedback, as I may overlook something.
@icemac @dataflake @tseaver @pbauer @mauritsvanrees