<div>Hi Gary,</div>
<div> </div>
<div>You are absolutely right. I didn't know zope wan't maintan the connections. If this is the case, I can't implement something inside zope3 to support NTLM authentication. Maybe I should stick with apache to do the hard job for zope.
</div>
<div> </div>
<div>Thanks!</div>
<div>Simon<br><br> </div>
<div><span class="gmail_quote">On 9/13/06, <b class="gmail_sendername">Gary Poster</b> <<a href="mailto:gary@zope.com">gary@zope.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><br>On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:<br><br>> Simon Hang wrote:<br>>> Hi,
<br>>> I'm thinging to write a NTLM credential plugin for zope3. But as<br>>> I know, ntlm use 4-way handshake procedure, that means it needs<br>>> two round-trips between server(zope3) and client(browser).
<br>>> When I look in the credential plugins, it has challenge mothed.<br>>> But seems it is only design for 1 round-trip protocol. It can<br>>> issue one challenge, and return to parent script.<br>>
<br>> I don't see how the PAU only allows one "round-trip".<br><br>AIUI (I just looked up NTLM last night out of curiosity: see http://<br><a href="http://www.innovation.ch/personal/ronald/ntlm.html">www.innovation.ch/personal/ronald/ntlm.html
</a>), the problem is that the<br>4 way handshake has to happen *within a single connection*.<br>Apparently MS abuses HTTP to perform this. Implementing it in<br>pluggable auth made me scratch my head a bit, so I didn't reply. You
<br>would need to slurp the request, then push back to the response, then<br>slurp the same request again, then push back to the response, then<br>slurp one more time, and finally reply with the real request.<br>Describing the problem to Benji, he mentioned WSGI--that does seem
<br>like the only way I can imagine this working, and that would be<br>tricky enough, especially if you needed to reach into Zope for the<br>managed credentials. Once the WSGI plugin did its magic, it would<br>need to put something in the WSGI request that a pluggable auth
<br>plugin was willing to accept as authentication.<br><br>On the bright side, if you did this with WSGI you might be able to<br>offer this as a generic Python WSGI NTLM tool that required only<br>minimal integration with the back end app server.
<br><br>I'm glad I'm not tasked with this. :-D It sounds interesting,<br>though. Also, maybe I misunderstand: read the link if you want to<br>come up with your own interpretation.<br><br>Gary<br>_______________________________________________
<br>Zope3-users mailing list<br><a href="mailto:Zope3-users@zope.org">Zope3-users@zope.org</a><br><a href="http://mail.zope.org/mailman/listinfo/zope3-users">http://mail.zope.org/mailman/listinfo/zope3-users</a><br></blockquote>
</div><br>