[Zope] major problems placing authentication on an extranet site-security flaw?

Robert Boyd robert.h.boyd at gmail.com
Thu Feb 9 09:32:59 EST 2006

On 2/9/06, michael nt milne <michael.milne at gmail.com> wrote:
> Over and out on this one from me and thanks for all your help.... Sorry but
> SSL over virtual hosts *is* more involved that setting up a basic password
> protect

My 2 cents on this thread: I've seen (ok, I've done, long ago) the
following as a newbie when it comes to security - start checking and
unchecking boxes in the security screens trying to get things to work
how I want them to, get partially there, change another setting, now
what used to work doesn't, now can't recall how to get back to working
settings, and everything is botched.

Before blaming Zope/Plone and its security, and calling it insecure or
a nightmare, consider this: many of us have for years set up Zope and
Plone sites with a mixture of anonymous and authentication-required
areas, or totally locked down sites, using various user folders and
authentication methods, and done so successfully. I don't say this to
be snide - I have trained others on Zope and seen similar frustration
from people when they rush in and start clicking things, or go on wild
goose chases when something like browser cache may be producing the
symptoms instead of a flaw with security. Careful, methodical
debugging is required, and you must rule out external (non-Zope)

Others have pointed out that a default Plone site should not prompt
you with a pop-up box (browser Basic Auth challenge) when requesting
protected content. Plone and CMF sites use a login web form out of the
box. Actually, from your initial post it's hard for me to tell what's
going on - I can't tell whether you're trying to hit the site from
perspective of a normal user, or through the ZMI you are clicking the
View tab of the Plone site object. When reporting problems, it helps
to clearly list your steps that produced the error. Maybe you thought
you did.

I'll agree that Zope security can be complex. ANY web application that
features content that is available to some users, and not to others,
especially when dealing with Users with Role A can view x and y, but
not z, and can edit x, but not y and z, is going to be complex. Zope
actually gives you a convenient way of setting that up, but the
convenience also gives you a great way to shoot yourself in the foot.

OT: I also use gmail because it's better IMO than any of my other
options at work, and I hope I have the settings to the liking of the
list (no HTML, etc). List, let me know if otherwise!


More information about the Zope mailing list