[Zope3-Users] Re: Remote authentication

David Pratt fairwinds at eastlink.ca
Mon May 14 09:21:50 EDT 2007

Hi Maciej. I'm putting up a project today. If there is anyone else that 
has been following this thread that would like to contribute to a CAS 
solution for z3 please let me know.

Just a side note that the PHP client for CAS uses sessions. I'm going to 
contact Martijn on the ldappas work and see if he has any advice to 
offer on this in the interim. Chris Withers had also put a solution 
together a few years back for z2 under mit license so will also likely 
see if there is some interest in advising or helping considering his 


Maciej Wisniowski wrote:
>> Hi Maciej. Thank you for your reply and outlining the authentication
>> process. This does make things clearer. There are a variety of backends,
>> I read that something as simple as reading fom a file is possible. 
>> ldappas and dl.ldapauth provide some good hints for plugins and user
>> management from infrae's documentlibrary. I became aware of these
>> packages working on documentlibrary recently.
> I don't know documentlibrary but with cas you'll get only the user
> name and with this it is necessary to
> get user roles/permissions from specific backend.
>> I want to be clear that https enters into the picture as soon as
>> authentication is required or someone were to click on a login link. I
>> am seeing links such as this in the docs I have been reading:
>> https://secure.its.yale.edu/cas/login?service=http://my/url
>> Reading the plone code, I noticed a replacement for login portlet (to
>> replace it with a link to CAS server) so I am assuming at this point
>> folks would be coming to portal unauthenticated and no https until you
>> were to login or attempt to gain access to an area where you need
>> authorization (then you are redirected - and now https on CAS server)
>> Have I got this right?
> CAS authentication will work with http, but single sing on will not.
> I mean if you have CAS server like:
> https://secure.its.yale.edu/cas
> and applications:
> http://my/url
> http://my/url2
> then you'll have to login while trying to acces http://my/url2
> even thought you already are logged in to http://my/url. With
> https you'll be automatically logged into url2 via SSO.
> There were discussions about turning off https on CAS users
> list but I don't know if it is possible in recent CAS versions.
> Also you may send 'service url' as https one. This way users
> accesses http site but after successfull login at CAS user is
> redirected to https one.
>> I thought sessions should be used but maybe there are some other
>> opinions. I realize there were some issues with sessions some years back
>> with z2. I have not heard anything negative about sessions in z3.
> Hm... I'm not sure about session implementation in zope3 but
> I had some issues with sessions with zope 2 (conflicts).
> I think that accessing session with every request is not too good as
> this causes session buckets to be moved in oobtree because of
> expiration, starts garbage collections etc. But I'm not sure how
> this exactly goes.
>> I was also thinking to some extent about the url redirection etc for
>> this CAS activity and it made me wonder whether some of this should not
>> be occurring as part of a WSGI middleware (but this is just a random
>> thought at the moment).
> I have no experience with that but like to get to know more :)
>> I am interested in setting up a project for this shortly. I'll likely
>> get this going in the next day or so and will be grateful for your help
>> since you have experience with this. I'll provide details for the
>> project as soon as I have them but will likely put it in zif collective
>> on sourceforge in svn.
> OK, but possibly I will have no internet access for few days so I may
> answer with delays.
>> BTW, I recently noticed that the authentication server need not be java
>> so long as it complies with the CAS protocol. In fact I was reading code
>> for rubyCAS server earlier today. It makes me wonder why the
>> authentication server itself could not be written in python and served
>> using zope or twisted. Gives me something to think about for later if
>> things work. Many thanks,
> Would be great to have this server in python :)

More information about the Zope3-users mailing list