[Zope] Re: htaccess with zope/plone ?

Jens Vagelpohl jens at dataflake.org
Wed Feb 8 03:31:50 EST 2006

On 7 Feb 2006, at 23:58, michael nt milne wrote:

> Also, just to say that I did a test on only letting authenticated  
> and managers view the root page of the site over ssl. If you just  
> cancelled the login box or closed it, the whole front page was  
> displayed without any css but you could still get all the content.  
> I've had this quite a bit before so that's why I'm looking into  
> Apache authentication. I just don't think that Zope authentication  
> is secure.

As someone else has already mentioned, there is zero difference when  
it comes to "how secure" the login procedure is. It doesn't matter  
how you set up authentication if you haven't applied the proper  
permission settings in Zope to prevent showing that front page  
content you mentioned earlier. You need to get a better idea how to  
use the built-in Zope security mechanisms to achieve the security  
settings you would like to see.

Using both Apache and Zope authentication will bring mostly pain.  
Your strategy is wrong. Get a better understanding of what Zope can  
do in that regard and then decide.


More information about the Zope mailing list