[Zope] Zope security management
Phil Harris
phil.harris@zope.co.uk
Mon, 19 Mar 2001 19:37:11 -0000
Bill,
There is another answer to part 2, use javascript to create an md5 hash of
the user,somesecret,password.
This can be sent instead of the password and then validated on the server
side, since the username and md5 hash is all that is sent across the wire,
it should be a lot more secure than plain text.
I have a library for javascript md5 if anyone is interested (which,btw, I
'stole' from the PHPlib ;) ).
Phil
phil.harris@zope.co.uk
----- Original Message -----
From: "Bill Welch" <bill@carbonecho.com>
To: <zope@zope.org>
Sent: Monday, March 19, 2001 5:07 PM
Subject: Re: [Zope] Zope security management
> To achieve genuine security, you have to do something about the 'password
> in the clear' problem.
>
> part 1) With basic auth (the zope default), the user's name and password
> are sent in the clear with every request.
>
> part 2) With form based login (login manager, zmc), the user's name and
> password are sent in the clear when the login form is submitted.
>
> Solution: Have to go with form based login that uses ssl to send user's
> name and password. Unfortunately, in my experience, ssl support for zope
> is only thrid party (no offense to Mr. Siong or Mr. Bickers, thanks for
> your work so far) and hard to integrate, when this is really a core
> requirement.
>
> I think this is something that DC has to handle.
>
> Bill.
>
> On Mon, 19 Mar 2001, Bernd Worsch wrote:
>
> > It's some time ago, the issue of denying roles showed up.
> >
> > I'd really wish to see this implemented, so has this problem
> > made it into the collector? (The feature index seems broken
> > to me at the moment)
> >
> > Thanks to John for pointing out what i thought :)
> > Bernd
> >
> > On Thu, Mar 01, 2001 at 10:00:13AM +0000, Chris Withers wrote:
> > > "John R. Daily" wrote:
> > > >
> > > > That is precisely what is wrong with the model. To achieve
manageable
> > > > and genuine security, I want to acquire _all_ permissions and
> > > > specifically deny those roles to which the inherited permissions may
> > > > not be correct.
> > >
> > > I'd agree with this, but I don't know how important it is.
> > >
> > > I'd suggest chucking it in the colelctor asa Featuer Request.
> > >
> > > cheers,
> > >
> > > Chris
> > >
> > > _______________________________________________
> > > Zope maillist - Zope@zope.org
> > > http://lists.zope.org/mailman/listinfo/zope
> > > ** No cross posts or HTML encoding! **
> > > (Related lists -
> > > http://lists.zope.org/mailman/listinfo/zope-announce
> > > http://lists.zope.org/mailman/listinfo/zope-dev )
> >
> > --
> >
> > -----Bernd Worsch-----------bernd.worsch@frontsite.de--------
> >
> >
> >
> >
> >
> > _______________________________________________
> > Zope maillist - Zope@zope.org
> > http://lists.zope.org/mailman/listinfo/zope
> > ** No cross posts or HTML encoding! **
> > (Related lists -
> > http://lists.zope.org/mailman/listinfo/zope-announce
> > http://lists.zope.org/mailman/listinfo/zope-dev )
> >
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )