[Zope3-Users] Re: NTLM credential plugin
hangzhiyun at gmail.com
Tue Sep 19 08:39:51 EDT 2006
Good news. I believe I found a way to do NTLM 4-way handshake with zope3 and
using PAU's plugin. But I need to modify zope3's http server a little bit,
to let zope3 support HTTP/1.1 persistent connection.
Currently I can
1. send NTLM challenge
2. receive NTLM type-1 message
3. send NTLM type-2 message
4. receive NTLM type-3 message.
Only thing to do is decode type-3 message.
My concern is I need to modify zope3's http server, althogh only add several
lines. Is there anybody can validate my modifcation and implement the change
in proper zope3's way?
Currently I modified zope.server.http.httptask.HTTPTask, method
prepareResponseHeaders(). to let this function also check
accumulated_headers before decides to close the connection. Sorry, I left
the modified code in my other pc, can't post the detail.
Anybody can help?
On 9/15/06, Simon Hang <hangzhiyun at gmail.com> wrote:
> Why zope3 can not maintain active connections? Is this because zope3 is
> using asynchronous socket(asyncore.py) to serve the request?
> Errr... why zope3 is doing this? Won't this method cause overhead?
> Sorry for lots of questions, but I don't understand.
> On 9/13/06, Gary Poster <gary at zope.com> wrote:
> > On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:
> > > Simon Hang wrote:
> > >> Hi,
> > >> I'm thinging to write a NTLM credential plugin for zope3. But as
> > >> I know, ntlm use 4-way handshake procedure, that means it needs
> > >> two round-trips between server(zope3) and client(browser).
> > >> When I look in the credential plugins, it has challenge mothed.
> > >> But seems it is only design for 1 round-trip protocol. It can
> > >> issue one challenge, and return to parent script.
> > >
> > > I don't see how the PAU only allows one "round-trip".
> > AIUI (I just looked up NTLM last night out of curiosity: see http://
> > www.innovation.ch/personal/ronald/ntlm.html ), the problem is that the
> > 4 way handshake has to happen *within a single connection*.
> > Apparently MS abuses HTTP to perform this. Implementing it in
> > pluggable auth made me scratch my head a bit, so I didn't reply. You
> > would need to slurp the request, then push back to the response, then
> > slurp the same request again, then push back to the response, then
> > slurp one more time, and finally reply with the real request.
> > Describing the problem to Benji, he mentioned WSGI--that does seem
> > like the only way I can imagine this working, and that would be
> > tricky enough, especially if you needed to reach into Zope for the
> > managed credentials. Once the WSGI plugin did its magic, it would
> > need to put something in the WSGI request that a pluggable auth
> > plugin was willing to accept as authentication.
> > On the bright side, if you did this with WSGI you might be able to
> > offer this as a generic Python WSGI NTLM tool that required only
> > minimal integration with the back end app server.
> > I'm glad I'm not tasked with this. :-D It sounds interesting,
> > though. Also, maybe I misunderstand: read the link if you want to
> > come up with your own interpretation.
> > Gary
> > _______________________________________________
> > Zope3-users mailing list
> > Zope3-users at zope.org
> > http://mail.zope.org/mailman/listinfo/zope3-users
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Zope3-users