[Zope] major problems placing authentication on an
extranet site-security flaw?
markb at textmatters.com
Wed Feb 8 17:28:44 EST 2006
michael nt milne wrote:
> I find the Zope security, permissions set-up hideously complex and
> unusable to be honest and it doesn't even seem to work.
Yes. But security is hard on any capable system, with users, groups,
objects, applications all having security attributes and all those
things inheriting and interacting in unexpected ways. Netware and
Windows are the same.
As for 'doesn't even seem to work', that may be true (welcome to Open
Source!), but you may 'just' be experiencing interactions between Zope
security (hideously complex, etc) and Plone security (also complex). The
interactions between these systems are basically beyond ordinary humans
- or, possibly, just don't work.
It may be most sensible to try to hand off security to another system
entirely and let Zope/Plone share/inherit it - as your original
intention. If it's an extranet, can you use the surrounding network's
system? Pluggable authentication can use Windows or LDAP (or, perhaps,
other) authentication to provide access to a Zope/Plone, so visitors log
in to your network rather than to the Zope site, and the Zope/Plone can
inherit whatever the domain authentication system knows about them.
My other advice is to try not to touch ZMI security screens: if you're
using Plone you should try to set up the security you need in Plone as
far as possible. You really don't need Plone and Zope trying to do
different things at the same time: it's a fragile and complex marriage
and the partners all too easily end up stalking out of the room.
(this also suggests you might have better luck on the Plone discussion
lists, eg nntp://gmane.comp.web.zope.plone.user)
More information about the Zope