[Zope-dev] question: forcing https for authentication

Oliver Bleutgen myzope@gmx.net
Thu, 16 Jan 2003 15:42:15 +0100


One thing that bothers me is that I cannot reliably (as in "in a generic 
way which always works") prevent users from sending their authentication 
unencrypted.
The only ideas I have to tackle this without modifying zope itself are

- customize all pages which need authentication to check for "https://" 
in one of the relevant REQUEST attributes and do a redirect if not.
- use apache with some magic to trigger redirection if it encounters 
authentication headers in the request.
- use apache with some rewrite magic trigger redirection when a 
substring like "manage" is found in the request.

These alternatives are neither elegant, nor really secure.

So I have skimmed through zope's (2.5.1) source and wonder if modifying 
HTTPResponse could work:

Change

def _unauthorized(self):
   realm=self.realm
   if realm:
     self.setHeader('WWW-Authenticate', 'basic realm="%s"' % realm, 1)

to

def _unauthorized(self):
   if spam[0:5] == 'https': # I wish I would know what to put here
     realm=self.realm
     if realm:
       self.setHeader('WWW-Authenticate', 'basic realm="%s"' % realm, 1)
   else:
      self.redirect('https:' + spam[4:],lock=1) # or should we use 
setHeader?


My questions:
Is _unauthorized always called when authorization is needed, or are 
there more points which might set that header?
Can I get at the information I need to know if the request was via https 
at this point (i.e. the spam thing) or is there a better place in zope 
to do something I described?

Will redirection work here or might something overwrite the headers 
later on?
Is it possible to implement this via a monkey patch (or whatever this is 
called)?


Thanks,
oliver