[Zope] Zope/Plone logon security strategy etc

Tino Wildenhain tino at wildenhain.de
Wed Jan 25 12:47:55 EST 2006


michael nt milne schrieb:
> Just a quick question about Zope/Plone logins and security etc. When I
> go to www.domain.com:8080/manage I get a login box which seems to
> function in exactly the same way as the www.domain.com:8080/login_form
> page.
> 
> My question is, what was the rational for implementing this logon
> strategy in Zope as it obviously acts as authentication and
> authorisation but falls down on confidentiality and data integrity?
> Also would there be any plans at all in the future to make this logon
> process authenticate, be confidential and have integrity? I know that
> you can do it in Apache etc but for most people that's probably quite
> a big step. Most people probably reckon that the appearance of the
> logon box makes their site secure. I'm only talking about the logon
> areas here, etc.

I wonder what you mean. Could you outline a way how you believe
it should work? What are your concerns about security exactly?

With zope you have security down to individual object attributes.

Each time you access an attribute and dont have sufficient rights,
you are presented with some way to login (the exact apearance however
depends on the userfolder you use).

So how do you think it should work instead and what are the improvements
you see as well as the drawbacks?

Regards
Tino Wildenhain


More information about the Zope mailing list