But if you've got Apache ssl as well then it's more secure. The problem I've found is that you can't put this in the httpd.conf unless it is wrapped in a <Directory></Directory> directive AuthType Basic AuthName "Members Only" AuthUserFile /path/to/.htpasswd require valid-user And the virutual host doesn't have a directory. If I were to place this in the zope root then I would password protect all the sites. I only wan't to password protect one etc. On 2/8/06, Andreas Pakulat <apaku@gmx.de> wrote:
On 07.02.06 23:58:20, michael nt milne wrote:
Also, just to say that I did a test on only letting authenticated and managers view the root page of the site over ssl. If you just cancelled the login box or closed it, the whole front page was displayed without any css but you could still get all the content.
Then you had the proper rights somehow.
I've had this quite a bit before so that's why I'm looking into Apache authentication. I just don't think that Zope authentication is secure.
Authentication via .htpasswd uses the same HTTP method as the basic login into Zope. It's not more or less secure than authenticating directly with Zope.
Andreas
-- There is a 20% chance of tomorrow. _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael