Mixing cookie based auth with HTTP basic auth?

We have a special usecase where we want to authenticate a mobile app against Plone using HTTP basic auth.

Traditionally Plone uses cookie based authentication. The challenge PAS plugin is configured out of the box
with credentials_cookie_auth and credentials_basic_auth. So cookie based authentication is the default site.

Is there a way to force basic auth for a particular browser view?

Just send the basic auth header and you should be fine

Nope...this approach works for requests the top-level acl_users folder inside the Zope root but not for the Plone acl_users folder...this was my first expectation too.

curl -u user1:user1 http://localhost:8080/Plone/en/private-doc works for me with a Plone acl_users user and a private doc.
Could it be that you have an (invalid) __ac cookie somehow?

Another approach could be to make the view public and check by hand. Stupid, but would work.

Are you talking about accepting a with header or the act of popping up a basic auth password entry box (challenge plugin)?
Pas will always choose the top challenge plugin but will try all auth plugin until one works.

If the latter then you could create a new challenge pas plugin that does a basic auth challenge only certain circumstances (such as something in the request) and ensure its top.

cool trick. Unrelated to the main thread but this could fail if addressed to a Plone server behind a cache server like Varnish for Ansible Plone, because of:

    # Don't allow basic auth via this route.
    # If you want to login at the Zope root, use an ssh tunnel.
    if (req.http.Authorization) {
        unset req.http.Authorization;

if one can address the server on the 8080 port it will work with Ansible Plone, because then it will bypass Varnish.
Just nit picking of course but that's a trap for the unwary

Doubly so as the intended way to use plone.restapi will not work in such a setup.

err... why actually ? plone.restapi does not require basic auth AFAIK.