RE: [Zope-Annce] jcNTUserFolder 0.2.1 released
One way is to not replicate the challenge-response functionatlity at all. Put Zope behind IIS in two spots. One which is protected and thus elicits a challenge/response and another that has IIS anoymous access on it. Then get the zope security machinery to alternate between the two urls depending on the security required. Then all you need is remote user mode in Zope to work by allowing any remote user secure access. Perhaps remembering new REMOTE_USER's so further roles can be associated with them. I've tried doing this in the past but I think my install of IIS was screwed and I couldn't use either jcNTUserFolder or GUF to allow any REMOTE_USER in, so I gave up. Would my idea work, or is it flawed?
-----Original Message----- From: Jephte CLAIN [mailto:Jephte.Clain@univ-reunion.fr] Sent: Tuesday, 4 December 2001 3:40 PM To: Jay, Dylan Cc: zope-dev@zope.org Subject: Re: [Zope-Annce] jcNTUserFolder 0.2.1 released
"Jay, Dylan" wrote:
Can I ask you a question? Something I;ve tried to do in the past with jcNTUserFolder (maybe not tried hard enough) is this. I want all my users to be authenticated via challenge-response mechanism such that no one has to enter a username or password.
From what I can work out jcNTUserFolder doesn't actually help with this at all, or have I missed something? I wrote jcNTUserFolder just to do that, you know :-) But, currently, you have to go through IIS. I think there is an howto on http://www.zope.org/Members/jephte
I have tried to look at challenge/response authentication, but it is so hard and so much undocumented I left it. it would require to change Medusa (IIS and IE have a no-close connection when in challenge/response mode. it seems it must be so at least for the challenge/response part of the protocol; I suppose it would require too much time if they have to authenticate on each connection :), and to change Zope (you don't have the password, just a hash, that you must ask the PDC to validate for you, unless someone know how the hash is generated), and to have a compatible User Folder.
however, if someone can point me to a good source of documentation about that, and some example code, I may want to give it a try again.
regards, jephte.clain@univ-reunion.fr
"Jay, Dylan" wrote:
One way is to not replicate the challenge-response functionatlity at all. this is the solution i have opted for. it has run now for two years :-) the problem is Zope cannot be in remote user mode and in normal mode at the same time. I think that setting up a zeo cluster (one zope instance that is served through IIS, and is used to update content, and one which has the normal behavior, and serves public content) could enable this, but I haven't tried yet.
Put Zope behind IIS in two spots. One which is protected and thus elicits a challenge/response and another that has IIS anoymous access on it. Then get the zope security machinery to alternate between the two urls depending on the security required. please elaborate: you mean that when access to http://iis.host.com/zope_anonymous.pcgi/protected_resource is forbidden, zope automatically redirect the user to http://iis.host.com/zope_protected.pcgi/protected_resource?
Then all you need is remote user mode in Zope to work by allowing any remote user secure access. Perhaps remembering new REMOTE_USER's so further roles can be associated with them. I don't understand :-(
regards, jephte.clain@univ-reunion.fr
participants (2)
-
Jay, Dylan -
Jephte CLAIN