R. David Murray wrote:
On 12 May 2000, Kent Polk wrote:
Some browsers *do* only pass authentication info when the server requests it. We discovered this a couple of years ago when experimenting with the newly-developed domain authentication that I asked to be implemented in userfolders with Principia.
Unless I'm badly mistaken, the standard Zope management interface has a problem with this.
My perception is that w3m is a browser that only passes auth info when requested. If I'm looking at a management screen, and I click on a link that takes me to 'manage_workspace' for that object, Zope responds as if I am not authenticated. If I explicitly type in the URL with 'manage_main', then I get the management screen. I'm *guessing* that manage_workspace somehow does not require 'view management screens' permission but 'manage_main' does.
What are other browsers that have this behavior? I'd like to test my theory...
It was a while back and I don't have access to any of the browsers to test with now, but none of them had any trouble with the standard Principia (before Zope) management screens. The problems were encountered if you simply assumed that objects were requiring authentication, such as by passing them through an authentication portal which was only used to establish authentication and never used thereafter, and simply used AUTHENTICATED_USER to determine the status of authentication instead of just the name of the authenticated user. The results were that browsers which didn't automatically send authentication info were disallowed access, and you could reasonably easily bypass the server authentication mechanism if objects themselves didn't authenticate. Sorry that I don't have up-to-date info here, but I haven't had to develop any sites which require authentication since then. Sounds like you are possibly stating that when Zope was extended, it didn't continue to require that its management objects required authentication and simply relied on the value of AUTHENTICATED_USER to determine authentication. Is this correct? At the time I simply saw the problem as one of 3rd party software design. I.e. if you didn't build the site so its objects required authentication as appropriate, it wasn't Principia's problem, it was yours (or mine). I also believe the second issue isn't a problem with browsers which only send auth. info when requested. Relying on access procedures to ensure security is 'security by obscurity' and nothing more.