[Zope3-Users] Re: apache as zope3's frontend and NTLM
Philipp von Weitershausen
philipp at weitershausen.de
Sat Nov 12 15:01:41 EST 2005
Florent Guillaume wrote:
>> Well, Zope 3 doesn't care that Apache has authenticated your user. It
>> doesn't see that. If you want the Zope 3 security system to interact
>> with Apache's, here's a suggestion (not sure if it'll actually work):
>>
>> - Have Apache forward the REMOTE_USER CGI env variable, e.g. by using
>> the "E" flag at the end of rewrite rule:
>>
>> [P,L,E=REMOTE_USER:%{REMOTE_USER}]
>
>
> Will that really work? env variables are only useful in CGI mode, but
> proxying doesn't involve CGI. Rather I'd advise using additional
> parameters to the URL, like we do here for Zope 2 for instance:
>
> http://svn.nuxeo.org/trac/pub/file/CMFNtlmSso/trunk/doc/vhost_sso.conf
Ah, yes. I thought of this initially but found the env way to be
cleaner, simply assuming that mod_rewrite would pass the current env
along on the proxy request. It seems it doesn't.
Good example config, by the way.
>> - Have a custom ICredentialsPlugin that's simply looks at this env
>> variable in the request for the log-in credentials. To challenge the
>> user for authentication, it would simply use the same authentication
>> realm as set in the apache.conf, so that it gets picked up by Apache
>> when the user provides the credentials.
>
>
> And this plugin would have to get the credentials from the URL instead
> of the env variable. I wish apache had a proper way to add request
> headers during proxying...
Yup and yup.
Philipp
More information about the Zope3-users
mailing list