[Zope] passing HTTP basic auth info

Chris McDonough chris@iqgroup.com
Mon, 4 Oct 1999 05:30:24 -0400


I've established a user folder on my Zope installation which mirrors the
usernames and associated passwords of an NT domain (using smbUserFolder).
When a user wishes to enter the Zope site, they enter their NT username and
password.

In-house we also have an Exchange server that has Outlook Web Access
installed on it.

Currently, I have a link set up on one of our Zope pages that dumps the user
off into a logon screen for OWA... the user must then enter his username and
password (the same username and password -- again -- it's against the same
NT domain) in order to retrieve his mail.

I know it's probably possible to use the RESPONSE function within Zope to
insert the username into the HTTP header when he clicks on the link that
takes him to OWA.  But I don't see any documentation regarding the user's
password.

I know that its generally considered a security misfeature to cache
cleartext passwords in memory or on disk, but since the password is just
base64'ed when it gets to Zope, Zope should already know it (assuming it
keeps it around somewhere).  And this would mean that I could pass the
password to OWA using a RESPONSE as well.  And since I could do this, it
would mean that I could save the user from having to enter his or her
password again when they click on a link to another HTTP-basic-auth
protected site which authenticates against the same user store, but which is
not in the same "Realm".  A nicety that users have come to expect.

Most CGI implementations won't let you do this.  MS Active Server Pages,
however, allow you free use of the authenticated user's password.

I'm wondering if Zope has such a (mis?)feature.  Alternately, if anyone has
any experience or ideas about how to do such a thing, please let me know.

Thanks!

Chris