[Zope] Re: major problems placing authentication on an extranet site-security flaw?

Philip Kilner phil at xfr.co.uk
Sat Feb 11 13:57:14 EST 2006

Hi Michael,

michael nt milne wrote:
> I've implemented what's outlined in the make private site
> documentation and it works fine on Plone 2.1.1. No content is available
> apart from the site-map page (doesn't list content) and the contact form
> but I can figure that out separately.

Since neither of those counts as "content" as such, I think that that is
 legitimate and as you say, you can work around those if it matters to
you (In cases where I've wanted to work around such things, I've simply
called a script that redirects with an error message if the the
appropriate conditions aren't met.

> Yes I think I like the HTML login page way to authenticate. It feels
> more usable. And I don't think I'll use an Apache login box at all. Most
> users will find it hard remembering one password and with cookie
> authentication over SSL you can go straight into the site. Brilliant.

Agreed. Apache does a great job of managing the SSL, securing the data
over public wires, but that's a 100% generic task whereas the
authentication is tightly bound to your application.

It's worth bearing in mind that those credentials are passed over the
wire with every page, so you need your sessions to /stay/ in SSL mode
once authenticated.

> I'm revisting some of the points made in this thread though about
> security. It does seem that Zope and Plone as you say, are at odds on this.

Because Zope is an application server, it has to expose it's mechanism -
Plone has an easier job because it has a specific task to do (e.g.
manage content), and so can take an approach which is much simpler to
fly. In Plone, always do things the Plone way - working at the Zope
level may potentially subvert Plone's mechanisms for achieving things.




Email: phil at xfr.co.uk
PGP Public key: http://www.xfr.co.uk
Voicemail & Facsimile: 07092 070518

"You'll find that one part's sweet and one part's tart:
say where the sweetness and the sourness start."
- Tony Harrison

More information about the Zope mailing list