ZMI and WebDav

[georgpfolz]

I'm relatively new to PAS (having used CookieCrumbler standalone for a long time) and I'm currently using the Cookie Auth Helper Plugin as well as the Delegating Multi Plugin for authentication on a website.

While everything works fine in the website, I have massive problems in my workflow in the ZMI and with WebDav ("too many HTTP redirects").

Is there an easy way to disable PAS for the ZMI? Currently I'm just Cutting/Pasting it away if I have some work to do.

Same question for WebDav. I already tried using a Challenge Protocol Chooser Plugin with a HTTP Basic Auth Helper, but this didn't help.

[dataflake]

WebDAV, being used mostly for command-line interaction, cannot work with the login page the cookie authentication wants to throw up. That's the redirect you keep seeing. So you have to make sure that WebDAV requests use basic HTTP authentication only.

A prerequisite for all this is having Zope listen on a dedicated port for WebDAV requests, scroll down on https://zope.readthedocs.io/en/latest/operation.html#zope-configuration-reference to the setting webdav_source_port for explanation. Your WSGI server must then be configured to also opening a listening socket on that same port, and all WebDAV access must use that port.

The following works for me in a setup where I have a standard user folder at the root (for ZMI access) and a PAS in the subfolder that represents my main application. I am sure this can be made to work with a single PAS at the root as well with minor changes:

• add and activate a Request Type Sniffer Plugin
• add a HTTP Basic Auth Helper and only activate it for Challenge
• add and activate a Challenge Protocol Chooser Plugin. Configure it to only use the HTTP Basic Auth Helper for WebDAV. In my case it uses the cookie based plugin for Browser so all application users see the login page.

[georgpfolz]

@dataflake thank you so much for having taken the time to answer my questions!

I'm having a standard user folder at the root and a PAS in my application, so this is exactly my situation as well.

I was not aware that I needed the Request Type Sniffer Plugin for the Challenge Protocol Chooser to work. And I also was unsure which functionality to activate on the HTTP Basic Auth Helper.

So far it works perfectly!

[georgpfolz]

Unfortunately I have still the issue "too many HTTP redirects" when using WebDav. This error doesn't show up immediately, usually it's after some 2 or 3 successfull saves.

Interestingly this error shows up immediately if I try to connect with WebDav to a path under the PAS object, in this case the connection is not established in the first place.

Here's what I have:

• a Cookie Auth Helper with all functionality activated
• a HTTP Basic Auth Helper with only "Challenge" activated
• a Request Type Sniffer Plugin (activated)
• a Challenge Protocol Chooser Plugin, WebDav set to "http"
• a Delegating Multi Plugin "system_users" with delegate_path: "/acl_users". ("Authentication" and "Roles" activated)
• some other Delegating Multi Plugins with other delegate paths ("Authentication" and "Roles" activated)

Did I miss something important?

[dataflake]

This works for me without issue using the cadaver command line client, including the specific case where I connect immediately to a path within the scope of the PAS and edit something there.

I don't use any delegating multi plugins. If authentication doesn't work at the PAS level it automatically defers to the next user folder up the chain, which is the standard user folder in the root.

I use the plugins described earlier, a custom plugin that handles authentication with cookies and login page, and regular ZODB user managers and ZODB role managers to store users and roles.

[dataflake]

P.S.: This is on Zope 4.4.2 and PluggableAuthService 2.4.

Your description doesn't contain enough details for diagnosing this further. I haven't heard confirmation that you are indeed connecting only to the dedicated configured port for WebDAV and how all those plugins are configured in detail.

[georgpfolz]

I'm also on Zope 4.4.2 (Python 3.8) and PluggableAuthService 2.4.

Yes, of course I'm using a dedicated port for webdav, otherwise the downloaded files are the "rendered" versions.

Maybe the Delegating Multi Plugins are the issue, I need one for my website's users (I have my own user class) and with at least one DMP in use it does not seem to defer to the next user folder up the chain anymore.

Thank you for your comments, I'll do some more testing and I'm considering switching to the ZODB user manager and ZODB role manager.

[georgpfolz]

In the meantime I've switched to the ZODB user manager and ZODB role manager (and eliminated the Delegating Multi Plugins), but the problem persists. I circumvented the frequent login screens in the ZMI by creating a Manager User in the PAS, but I'm still not able to work with WebDav. It always seems to work at first but after several (sometimes only a few, sometimes quite many) successful saves I get those "too many HTTP redirects" errors.

When I configure the client with the path to the folder containing the PAS, I get the error right away and cannot connect at all.

I also already tried to do without Basic Auth Helper, Request Type Sniffer and Challenge Protocol Chooser. It seems to work a little longer but ultimately I always get the same errors.

There is always the possibility that's somewhat related to my WebDav client (I'm using Forklift's on the Mac), so I'll try using other ones like cadaver.

Until I find a solution, I'll have to Cut/Paste the PAS away when I have remote work to do...

[dataflake]

Not much I can do, haven't been able to reproduce the issue locally.

[georgpfolz]

As so often, the problem was sitting right behind the keyboard...

I overlooked that the Challenge Protocol Chooser has to be activated like all the other plugins, updating the mapping was not enough.

Sorry for wasting your time but thank you for kindly trying to help!

[dataflake]

Glad it works - nothing is worse than a bug that cannot be reproduced where you will always wonder if there's a real issue or not.