Comment 1 for bug 332061

I think this is caused by the way authentication works: in 'normal' use basic-auth is enabled, which is triggered, when someone requests a page she is not authenticated to get. Somewhere in the publishing process (don't know where) then an exception is raised, which might be caught by the Zope publisher(?) and is turned into a basic-auth request by changing the HTTP status of the response. So an exception happens, but the user does not see it (instead the basic-auth-window pops up).

When WSGI comes in, then you can let exceptions of any kind be handled by another middleware in the pipeline which is, what deploy.ini does: it starts a separate middleware which cares for exceptions during requests.

When both things come together (basic-auth + debugger-middleware), then also this normally not seen Unauthorized exception is passed to the middleware and you get the debugging screen instead of the basic-auth pop-up. This behaviour is correct from the logical point of view.

What Michael recommended is to use the login page in that case, which as a public view does not raise any exceptions but also sets the cookies according to the entered credentials. Therefore it works, but basic-auth does not.

So much for the problem, as far as I understood it. Michael, you might be able to tell more about the dirty details. Is there a possibility to bypass the middleware for certain requests?