[Zope] FW: sending a encrypted login URL

Joseph Thomas (s) jthomas at cap.org
Wed Mar 4 11:53:12 EST 2009 


-----Original Message-----
From: Joseph Thomas (s) 
Sent: Wednesday, March 04, 2009 10:50 AM
To: 'lists at zopyx.com'
Subject: RE: [Zope] sending a encrypted login URL

I think I get what you're suggesting, but let me clarify.

I actually wanted the sensitive portions of URL to be encrypted..because it will be link on a page that says "login to zope"..but I wouldn't want the user or a snooper to be able to view the page source and figure out the URL pattern and the username/password.

SSL will ensure that the transport between the browser and the zope server will be encrypted using PKI, but I really want to obfuscate the user name and password parameters in the login URL. So that that if some1 where to view the source they'd see  garbled username/password parameters.

I suppose I could use the PKI to encrypt the username/password with my zope server's public key (but is there a API to do this on a J2EE container) and then have my zope server decrypt using its private key (but how would zope know that the username/password parameters are 2 be treated as encrypted data)?
-----Original Message-----
From: Andreas Jung [mailto:lists at zopyx.com] 
Sent: Wednesday, March 04, 2009 10:38 AM
To: Joseph Thomas (s)
Cc: zope at zope.org
Subject: Re: [Zope] sending a encrypted login URL

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Use SSL and you're done.

- -aj

On 04.03.2009 17:29 Uhr, Joseph Thomas (s) wrote:
> We'd like to construct a zope login URL of the form on another server:
> 
>  
> 
> http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_password=xxxxxxx&submit=Log+in
> <http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_password=xxxxxxx&submit=Log+in>
> 
>  
> 
>  
> 
> where the ac_name and ac_password parameters are encrypted using zope
> public key (?) and have the parameters decrypted when zope receives the
> request and login the user.
> 
>  
> 
> Is there an API or some way to encrypt the username and password on the
> 3^rd party app server and configure zope so that it treats the
> parameters as encrypted values rather than plaintext?
> 
>  
> 
> Joseph Thomas
> 
> College of American Pathologists
> 
> http://www.cap.org <http://www.cap.org/>
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )


- -- 
ZOPYX Ltd. & Co. KG - Charlottenstr. 37/1 - 72070 Tübingen - Germany
Web: www.zopyx.com - Email: info at zopyx.com - Phone +49 - 7071 - 793376
Registergericht: Amtsgericht Stuttgart, Handelsregister A 381535
Geschäftsführer/Gesellschafter: ZOPYX Limited, Birmingham, UK
- ------------------------------------------------------------------------
E-Publishing, Python, Zope & Plone development, Consulting

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkmurnAACgkQCJIWIbr9KYylKQCgn3WWP5SzGrrAQbJIQXv7Bfac
3fwAoIiI4iwtVBFVRg7jtZu5Vgy5fw3f
=MHol
-----END PGP SIGNATURE-----
Consider our environment; please print this e-mail only if truly
necessary. Thank you!

More information about the Zope mailing list