----- Original Message ----- From: "Karl Anderson" <karl@digicool.com>
This doesn't address the original problem - if you allow nonsecure authorization to a page, eventually someone will forget to access it via SSL and will send the password across in the clear. That's a valid point. Personally, I'm paranoid that my browser or proxy will send my credentials without being asked for, which IIRC they are allowed to do; so once I send credentials to my site, I always use SSL for other URLs. This is annoying, but wouldn't client certificates solve this problem?
The idea of client certificates is a nice one, but IIRC client certificates is something that needs to be looked at more in terms of "how will my organisation support client certs and how will we deploy them, what are the consequences, how much administration will this require, etc, etc..." I am just now starting to look deeper into using SSL with Zope, since we are going to re-implement a lot of things done with Oracle's Web PL/SQL toolkit and our own Apache::OWA perl module, in Zope. We are planning to run Zope behind Apache using it as a proxy. Currently we have the option of configuring Apache to accept SSL-only connections for a given URI (I think this is done in the Alias section) but this is not an option for the things we do since a large part of our site does not really need to be encryted; we only want to provide encrypted access after you have logged in, and then we want to ensure that the parts that do require authentication are only accessible through SSL. In Oracles Oracle's Web PL/SQL toolkit there is no simple way of knowing if a request is done with SSL or not, but I can see through which port a request was made. I have a method which gets called for every request, that checks if the request came in thru a "valid" port; port 443 is in the list of "valid" ports. This I "know" since, in our setup, we use Apache SSL on port 443. It is also possible to use several ports that are known to use SSL, so it is quite flexible. I am considering setting up something like this in Zope, that I want to couple with the built in user management system in conjunction with LoginManager or something similar. Would this be possible? Can I force Zope to call a "verify port" method on every request? Thanks, /dario - -------------------------------------------------------------------- Dario Lopez-Kästen Systems Developer Chalmers Univ. of Technology dario@ita.chalmers.se ICQ will yield no hits IT Systems & Services