[Zope3-dev] Authentication and context wrappers
Jim Fulton
jim@zope.com
Mon, 10 Feb 2003 16:21:56 -0500
Marius Gedminas wrote:
> Hi, folks
>
> At the moment authenticated principal is just a name. In other words,
> the actual object is being resolved on every security check. This poses
> certain problems when the principal is defined in a local authentication
> service, and the checkers try to verify its access to a naked object.
> With no context the appropriate authentication service cannot be found
> so the global one is used, and more likely than not the principal is not
> present there.
>
> And what if there is one? Does that mean that the permissions of a
> different principal than the one that actually performed the
> authentication are used? Doesn't this pose a security problem?
First, I agree that we should pass the authenticated principal object
to newSecurityManager and use this in security checks. I'll go farther
and say that this user should be in the context of it's authentication
service. This will be necessary to check that a user doesn't access an
object outside it's place.
Second, authentication services are required to pick unique
principal ids, so there can be no danger of mixing up principal
ids. OTOH, we haven't settled on how the authentication services will
pick unique ids. The thought is that it will use it's path (or it's
site path) as a profix for all of it's ids.
Jim
--
Jim Fulton mailto:jim@zope.com Python Powered!
CTO (888) 344-4332 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org