Re: FW: [Zope-dev] pam authentication support with PyPam
Alexander Staubo wrote:
Have you given any thoughts to my comments?
Yes, sorry for the delay.
There are two aspects of the current security subsystem that bug me.
The first is the fact that only user folders are accumulative only at folder boundaries. You cannot create one UserFolder and one NTUserFolder at the same level and have them co-opt the user authentication responsibility.
I think this is a good idea, I wonder if the Generic User Folder recently prototyped (hey, who did that? I can't find any artifacts to it anywhere) does this.
The second, more serious gripe is with the security permission model. Look at NT 4.0 and the security UI that comes with SP4/SP5's Security Configuration Manager for a good example (installing it will upgrade NT's security dialogs with a new UI).
<snip good stuff> There are really deep and fundamental issues, I can see exactly what you're talking about, but implimentation could take a while, last time i looked at the security system I shuddered. Have you looked into implimentation? This is sort of a seperate issue from the user folder abstraction thing. -Michel
On Tue, 2 Nov 1999, Michel Pelletier wrote:
The first is the fact that only user folders are accumulative only at folder boundaries. You cannot create one UserFolder and one NTUserFolder at the same level and have them co-opt the user authentication responsibility.
I think this is a good idea, I wonder if the Generic User Folder recently prototyped (hey, who did that? I can't find any artifacts to it anywhere) does this.
It could in its current incarnation... although its a bit ugly :-) In your GenericUserFolder, create FolderA and FolderB. In FolderA create your UserFolder. In FolderB, create your NTUserFolder. In your GenericUserFolder, change the default DTML methods to simply call the required functions in the two sub user folders and return a combined list. Of course, the correct way to do this would be to move the relevant code from NTUserFolder to external methods and tidy everything up (you would still create a sub acl_users folder in the GenericUserFolder for 'manual' accounts if you need to override them with this interface - at least until I let people add User objects to the GenericUserFolder)
There are really deep and fundamental issues, I can see exactly what you're talking about, but implimentation could take a while, last time i looked at the security system I shuddered.
Tell me about it - I'm trying to get GenericUserFolder to do cookies authentication 'securely'. The only way I can display a logon screen is to throw an exception from the validate method. Of course, throwing an exception means that the user folders above myself will never be checked. So this means my validate method, if it can't authenticate locally, has to crawl up the tree seeing if there are any positive validations before throwing the exception :-P ___ // Zen (alias Stuart Bishop) Work: zen@cs.rmit.edu.au // E N Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au //__ Computer Science, RMIT WWW: http://www.cs.rmit.edu.au/~zen
participants (2)
-
Michel Pelletier -
Stuart 'Zen' Bishop