Feature: Exception to abort authentication

I'd be willing to merge a branch implementing this feature, assuming it
had really good test coverage for all the edge cases it creates.

I do not have write access to the zope repository. Are you also willing to accept a patch?

Having meanwhile implemented a plugin for SAML2 based authentication (--> "dm.zope.saml2"), I recognize that actually the second use case does not apply: it is very easy and efficient for an SAML2 authentication plugin to determine that there is no SAML2 authentication. The only expensive thing involved is the authentication process itself - introduced not by the authentication but the challenge plugin. This is already handled well by the existing framework.

This means that only the first use case remains -- and this is probably better handled by an extension of the `DomainAuthHelper` plugin to avoid domain based authentication when a higher level user folder can authenticate the user.

A colleague has implemented this feature for our simplified scenario where the root folder contains the only higher level user folder. It goes like this:

class RootUserFolderAwareDomainAuthHelper(DomainAuthHelper):
    ...
    def authenticateCredentials(self, credentials):
        if credentials['extractor'] != self.getId():
            return (None, None)
       # do not authenticate non "special" users recognized by the root folder. Special users have id `None`.
       if self.getPhysicalRoot().acl_users.validate(self.request).getId() is not None:
           # user recognized by root user folder
            return (None, None)
       return super(RootUserFolderAwareDomainAuthHelper, self).authenticateCredentials(credentials)

Thus, there is likely no need at all to change the framework. It might be helpful, however, to provide an option for the `DomainAuthHelper` plugin to become aware of higher up user folders as the current behaviour is likely to often cause headaches. But, if `PluggableAuthenticationService" does not directly support such an option, it is easy to implement it oneself.

> I do not have write access to the zope repository. Are you also willing
>to accept a patch?

Sure. I will also see about getting a Launchpad mirror set up for the code.

The bzr mirror is now available:

  $ bzr branch lp:zope-pas

gets you a writable checkout. You can then push your committed
changes to a branch under your Launchpad account, e.g.:

 $ bzr push lp:~dmaurer/zope-pas/bug_649596

(or whaver you'd like to call it). You can then link that branch
here to this issue.

I have pushed the extension to "lp:~d.maurer/zope-pas/NotCompetentPlugin".

The extension is slightly different than the ones previously described. It now defines an new plugin type "INotCompetentPlugin". Plugins of this type check whether the current user folder is competent to authenticate the current request or should delegate authentication to user folders higher up in the hiearchy. Consequently, such plugins are not used at the root user folder (as there are no higher up user folders). The extension implements one such plugin "NotCompetent_byRoles". It declares the user folder as not competent when a higher level user folder is able to authenticate the request without challenge and with a user having one of a set of specified roles. If not roles are specified, any user acceptable by the request will do.

Thanks very much for the patch. Merged to the trunk for a 1.9.0 release:

 http://svn.zope.org/Products.PluggableAuthService/trunk/?view=rev&rev=126497