[Zope] Re: htaccess with zope/plone ?
jens at dataflake.org
Wed Feb 8 03:31:50 EST 2006
On 7 Feb 2006, at 23:58, michael nt milne wrote:
> Also, just to say that I did a test on only letting authenticated
> and managers view the root page of the site over ssl. If you just
> cancelled the login box or closed it, the whole front page was
> displayed without any css but you could still get all the content.
> I've had this quite a bit before so that's why I'm looking into
> Apache authentication. I just don't think that Zope authentication
> is secure.
As someone else has already mentioned, there is zero difference when
it comes to "how secure" the login procedure is. It doesn't matter
how you set up authentication if you haven't applied the proper
permission settings in Zope to prevent showing that front page
content you mentioned earlier. You need to get a better idea how to
use the built-in Zope security mechanisms to achieve the security
settings you would like to see.
Using both Apache and Zope authentication will bring mostly pain.
Your strategy is wrong. Get a better understanding of what Zope can
do in that regard and then decide.
More information about the Zope