[Zope-dev] Securing login with SSL via RESPONSE?

[Serguei Chabanov]

Hi,

I have read all the various documents and howtos regarding setting zope w=
ith=20
apache and SSL, and I set it up. I have two virtual servers, http and htt=
ps,=20
serving the same hierarchy of zope objects. I would llike to secure passw=
ords=20
by using SSL.

It is suggested everywhere I read that the protection should be done with=
=20
RewriteRule or similar, by filtering urls. For example, I use RewriteRule=
=20
match like ^manage(.*) and another to see if the protocol is insecure to=20
redirect such requests to the same URL, but over https. Else, I can use=20
solutions like SSLAbsoluteURL to adjust behavior of absolute_url()

This, however, seems unsatisfactory. RewriteRules or url base manipulatio=
n=20
cannot guarantee that the site visitor would not run into a protected obj=
ect.=20
In this case, the server returns "Unauthorized" response, the browser pop=
s up=20
the basic http authorisation dialog and login/password travel in the open=
=2E

Looking at the CookieCrumbler product, I realise that before anything get=
s=20
published it "highjacks" the RESPONSE object and manipulates it, includin=
g=20
removing "Unauthorized" and redirecting to a login form.

I hope somebody has time to answer two questions:

How legitimate would it be to do the same, but to make external redirect =
via=20
https? I understand that this might mean a lot of nasty things, including=
=20
being locked out of Zope, but this can be dealt with, for example,=20
_emergency_user.

Assume I make a hypothetical SSLRedirect product, modelled on CookieCrumb=
ler.=20
There is no reasonable way to keep them in the same folder and make sure =
that=20
SSLRedirect gets to the REQUEST/RESPONSE before CookieCrumbler, correct?
I.e. such SSLRedirect product would have to be in a subfolder relative to=
=20
CookieCrumbler so that it gets traversed first.

Thanks in advance,

Regards,

Serguei