Good news. I believe I found a way to do NTLM 4-way handshake with
zope3 and using PAU's plugin. But I need to modify zope3's http server
a little bit, to let zope3 support HTTP/1.1 persistent connection.<br>
<br>
Currently I can <br>
1. send NTLM challenge<br>
2. receive NTLM type-1 message<br>
3. send NTLM type-2 message<br>
4. receive NTLM type-3 message.<br>
<br>
Only thing to do is decode type-3 message.<br>
<br>
My concern is I need to modify zope3's http server, althogh only add
several lines. Is there anybody can validate my modifcation and
implement the change in proper zope3's way?<br>
<br>
Currently I modified zope.server.http.httptask.HTTPTask, method
prepareResponseHeaders(). to let this function also check
accumulated_headers before decides to close the connection. Sorry, I
left the modified code in my other pc, can't post the detail.<br>
<br>
Anybody can help?<br>
<br>
Thanks,<br>
Simon<br><br><div><span class="gmail_quote">On 9/15/06, <b class="gmail_sendername">Simon Hang</b> <<a href="mailto:hangzhiyun@gmail.com">hangzhiyun@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div>Hi,</div>
<div> </div>
<div>Why zope3 can not maintain active connections? Is this because
zope3 is using asynchronous socket(asyncore.py) to serve the request?</div>
<div>Errr... why zope3 is doing this? Won't this method cause overhead?</div>
<div> </div>
<div>Sorry for lots of questions, but I don't understand.</div>
<div> </div>
<div>Thanks,</div></div><div><span class="sg">
<div>Simon<br><br> </div>
</span></div><div><div></div><div><span class="q"><span class="gmail_quote">On 9/13/06, <b class="gmail_sendername">Gary Poster</b> <<a href="mailto:gary@zope.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
gary@zope.com</a>> wrote:</span>
</span></div><div><span class="e" id="q_10db01e56db86280_4"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left: 1ex;"><br>On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:
<br><br>> Simon Hang wrote:<br>>> Hi,
<br>>> I'm thinging to write a NTLM credential plugin for zope3. But as<br>>> I know, ntlm use 4-way handshake procedure, that means it needs<br>>> two round-trips between server(zope3) and client(browser).
<br>>> When I look in the credential plugins, it has challenge mothed.<br>>> But seems it is only design for 1 round-trip protocol. It can<br>>> issue one challenge, and return to parent script.<br>>
<br>> I don't see how the PAU only allows one "round-trip".<br><br>AIUI (I just looked up NTLM last night out of curiosity: see http://<br><a href="http://www.innovation.ch/personal/ronald/ntlm.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
www.innovation.ch/personal/ronald/ntlm.html
</a>), the problem is that the<br>4 way handshake has to happen *within a single connection*.<br>Apparently MS abuses HTTP to perform this. Implementing it in<br>pluggable auth made me scratch my head a bit, so I didn't reply. You
<br>would need to slurp the request, then push back to the response, then<br>slurp the same request again, then push back to the response, then<br>slurp one more time, and finally reply with the real request.<br>Describing the problem to Benji, he mentioned WSGI--that does seem
<br>like the only way I can imagine this working, and that would be<br>tricky enough, especially if you needed to reach into Zope for the<br>managed credentials. Once the WSGI plugin did its magic, it would<br>need to put something in the WSGI request that a pluggable auth
<br>plugin was willing to accept as authentication.<br><br>On the bright side, if you did this with WSGI you might be able to<br>offer this as a generic Python WSGI NTLM tool that required only<br>minimal integration with the back end app server.
<br><br>I'm glad I'm not tasked with this. :-D It sounds interesting,<br>though. Also, maybe I misunderstand: read the link if you want to<br>come up with your own interpretation.<br><br>Gary<br>_______________________________________________
<br>Zope3-users mailing list<br><a href="mailto:Zope3-users@zope.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Zope3-users@zope.org</a><br><a href="http://mail.zope.org/mailman/listinfo/zope3-users" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://mail.zope.org/mailman/listinfo/zope3-users</a><br></blockquote>
</span></div><div></div><br>
</div></blockquote></div><br>