[Zope] Zope security management
Bill Welch
bill@carbonecho.com
Mon, 19 Mar 2001 12:07:05 -0500 (EST)
To achieve genuine security, you have to do something about the 'password
in the clear' problem.
part 1) With basic auth (the zope default), the user's name and password
are sent in the clear with every request.
part 2) With form based login (login manager, zmc), the user's name and
password are sent in the clear when the login form is submitted.
Solution: Have to go with form based login that uses ssl to send user's
name and password. Unfortunately, in my experience, ssl support for zope
is only thrid party (no offense to Mr. Siong or Mr. Bickers, thanks for
your work so far) and hard to integrate, when this is really a core
requirement.
I think this is something that DC has to handle.
Bill.
On Mon, 19 Mar 2001, Bernd Worsch wrote:
> It's some time ago, the issue of denying roles showed up.
>
> I'd really wish to see this implemented, so has this problem
> made it into the collector? (The feature index seems broken
> to me at the moment)
>
> Thanks to John for pointing out what i thought :)
> Bernd
>
> On Thu, Mar 01, 2001 at 10:00:13AM +0000, Chris Withers wrote:
> > "John R. Daily" wrote:
> > >
> > > That is precisely what is wrong with the model. To achieve manageable
> > > and genuine security, I want to acquire _all_ permissions and
> > > specifically deny those roles to which the inherited permissions may
> > > not be correct.
> >
> > I'd agree with this, but I don't know how important it is.
> >
> > I'd suggest chucking it in the colelctor asa Featuer Request.
> >
> > cheers,
> >
> > Chris
> >
> > _______________________________________________
> > Zope maillist - Zope@zope.org
> > http://lists.zope.org/mailman/listinfo/zope
> > ** No cross posts or HTML encoding! **
> > (Related lists -
> > http://lists.zope.org/mailman/listinfo/zope-announce
> > http://lists.zope.org/mailman/listinfo/zope-dev )
>
> --
>
> -----Bernd Worsch-----------bernd.worsch@frontsite.de--------
>
>
>
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>