[Zope3-Users] Re: NTLM credential plugin

Philipp von Weitershausen philipp at weitershausen.de
Wed Sep 13 09:37:10 EDT 2006

Gary Poster wrote:
> On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:
>> Simon Hang wrote:
>>> Hi,
>>>  I'm thinging to write a NTLM credential plugin for zope3. But as I 
>>> know, ntlm use 4-way handshake procedure, that means it needs two 
>>> round-trips between server(zope3) and client(browser).
>>>  When I look in the credential plugins, it has challenge mothed. But 
>>> seems it is only design for 1 round-trip protocol. It can issue one 
>>> challenge, and return to parent script.
>> I don't see how the PAU only allows one "round-trip".
> AIUI (I just looked up NTLM last night out of curiosity: see 
> http://www.innovation.ch/personal/ronald/ntlm.html), the problem is that 
> the 4 way handshake has to happen *within a single connection*.

Ack. Ok, I didn't know that. Frankly, I personally don't care much about 
NTLM anyways...

> Apparently MS abuses HTTP to perform this.  Implementing it in pluggable 
> auth made me scratch my head a bit, so I didn't reply.  You would need 
> to slurp the request, then push back to the response, then slurp the 
> same request again, then push back to the response, then slurp one more 
> time, and finally reply with the real request.  Describing the problem 
> to Benji, he mentioned WSGI--that does seem like the only way I can 
> imagine this working, and that would be tricky enough, especially if you 
> needed to reach into Zope for the managed credentials.  Once the WSGI 
> plugin did its magic, it would need to put something in the WSGI request 
> that a pluggable auth plugin was willing to accept as authentication.
> On the bright side, if you did this with WSGI you might be able to offer 
> this as a generic Python WSGI NTLM tool that required only minimal 
> integration with the back end app server.

Yes, WSGI definitely sounds like a good place to put this then. Perhaps 
the WSGI middleware could "fake" a client that uses a more standard 
authentication system (e.g. Basic Auth) to the WSGI application, that 
way it'd be transparent to the WSGI application. Not sure if that's 
possible with NTLM, though.

More information about the Zope3-users mailing list