[Zope] Zope security management

Dario Lopez-Kästen dario@ita.chalmers.se
Wed, 21 Mar 2001 10:25:34 +0100


----- Original Message -----=20
From: "Karl Anderson" <karl@digicool.com>

>=20
> This doesn't address the original problem - if you allow nonsecure
> authorization to a page, eventually someone will forget to access it
> via SSL and will send the password across in the clear.  That's a
> valid point.  Personally, I'm paranoid that my browser or proxy will
> send my credentials without being asked for, which IIRC they are
> allowed to do; so once I send credentials to my site, I always use SSL
> for other URLs.  This is annoying, but wouldn't client certificates
> solve this problem?

The idea of client certificates is a nice one, but IIRC client =
certificates is something that needs to be looked at more in terms of =
"how will my organisation support client certs and how will we deploy =
them, what are the consequences, how much administration will this =
require, etc, etc..."

I am just now starting to look deeper into using SSL with Zope, since we =
are going to re-implement a lot of things done with Oracle's Web PL/SQL =
toolkit and our own Apache::OWA perl module, in Zope.=20

We are planning to run Zope behind Apache using it as a proxy. Currently =
we have the option of configuring Apache to accept SSL-only connections =
for a given URI (I think this is done in the Alias section) but this is =
not an option for the things we do since a large part of our site does =
not really need to be encryted; we only want to provide encrypted access =
after you have logged in, and then we want to ensure that the parts that =
do require authentication are only accessible through SSL.

In Oracles Oracle's Web PL/SQL toolkit there is no simple way of knowing =
if a request is done with SSL or not, but I can see through which port a =
request was made.

I have a method which gets called for every request, that checks if the =
request came in thru a "valid" port; port 443 is in the list of "valid" =
ports. This I "know" since, in our setup, we use Apache SSL on port 443. =
It is also possible to use several ports that are known to use SSL, so =
it is quite flexible.

I am considering setting up something like this in Zope, that I want to =
couple with the built in user management system in conjunction with =
LoginManager or something similar.

Would this be possible? Can I force Zope to call a "verify port" method =
on every request?

Thanks,

/dario

- --------------------------------------------------------------------
Dario Lopez-K=E4sten     Systems Developer  Chalmers Univ. of Technology
dario@ita.chalmers.se  ICQ will yield no hits    IT Systems & Services