[Zope] Re: Basic Authentication SSL Redirector

Tino Wildenhain tino at wildenhain.de
Fri Jun 23 08:31:42 EDT 2006 

Josef Meile schrieb:
>>> After having started the thread about securing CookieCrumbler[1], I 
>>> figured
>>> out that it was better to secure Basic Authentication instead. So, I 
>>> just
>>
>>
>> Which is actually identically :-) Its just a different HTTP-Header
>> involved :-)
> 
> Yes, but you won't send your credentials in plane text as you do with 
> CookieCrumble, will you?

Well, its more or less exactly the same as with BasicAuth :-)
(base64 plaintext vs. plaintext in html forms does not really matter)

>>> created a new Product, called JMSSLBasicAuth[2], which is based on the
>>> CookieCrumbler Transversal Hook. Instead of Cookie Authentication, I 
>>> will
>>> redirect insecure Basic Authentication requests to ssl.
>>
>>
>> You remember to stay in ssl once you switched?
> 
> Let's say I remember that. Let's also say that the user turns manually 
> back to http, then an Unauthorized Exception will be raised by zope, so, 
> he will be redirect again to ssl, where an HTTP-Header where already set.
> 
> I checked it with the "Live HTTP Headers" of Firefox, and here the user 
> won't send his credentials while switching to http, what you will see is 
> this:
> 
> ----------------------------------------------------------
> http://some_url/folder1
> 
> GET /folder1 HTTP/1.1
> Host: some_ip
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) 
> Gecko/20060508 Firefox/1.5.0.4
> Accept: 
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 
> 
> Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> 
> HTTP/1.x 302 Moved Temporarily
> Date: Fri, 23 Jun 2006 12:02:34 GMT
> Server: Zope/(Zope 2.7.8-final, python 2.3.5, linux2) ZServer/1.1
> Bobo-Exception-Line: 313
> Content-Length: 2686
> Bobo-Exception-Value: See the server error log for details
> Bobo-Exception-File: Expressions.py
> Bobo-Exception-Type: Unauthorized
> X-Zopeuser: Anonymous
> Location: https://some_url/folder1/index_html
> Content-Type: text/html
> WWW-Authenticate: basic realm="Zope"
> Keep-Alive: timeout=5, max=100
> Connection: Keep-Alive
> ----------------------------------------------------------
> https://some_url/folder1/index_html
> 
> GET /folder1/index_html HTTP/1.1
> Host: some_ip
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) 
> Gecko/20060508 Firefox/1.5.0.4
> Accept: 
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 
> 
> Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Authorization: Basic YWRtaW46Zm9vcGFzcw==
> 
> HTTP/1.x 200 OK
> Date: Fri, 23 Jun 2006 12:02:34 GMT
> Server: Zope/(Zope 2.7.8-final, python 2.3.5, linux2) ZServer/1.1
> Content-Length: 156
> Content-Type: text/html
> X-Zopeuser: admin
> Keep-Alive: timeout=5, max=100
> Connection: Keep-Alive
> ----------------------------------------------------------

nice password btw ;)

Regards
Tino

More information about the Zope mailing list