Does the 2.7 edition of the zope book that I can find on plope.org cover security as handled by PAS? C ******************************** Cris Ewing CME and Telehealth Web Services Department of Radiology Web Services University of Washington School of Medicine Work Phone: (206) 685-9116 Home Phone: (206) 365-3413 E-mail: cewing@u.washington.edu ******************************* On Thu, 16 Nov 2006, Maciej Wisniowski wrote:
I have been able to log in to my zope instance via localhost:8080/manage, and when I've added the 'access' file with my username, a colon, and a newline, no password is required to login. So I think the 'RemoteUserAuth' plugin described at the above site is working correctly. I don't know this kind of SSO. Seems to be complicated. CACSiteRoot and RemoteUserAuth I don't know any of these... Think it will be difficult to help you until there is somebody that used those things, but maybe I'm wrong :)
I don't fully grasp the way that user authentication works in zope. I'm not sure where to begin to look for the problem here, and I'm hoping someone can help. You may read about Zope Security system on plope.org in Zope Book 2.7 edition.
You may want to take look at error_log, and maybe remove unauthorized from the list of omited exceptions there. Additionally you may want to enable VerboseSecurity in zope.conf. AFAIR you need to uncomment:
SecurityPolicyImplementation Python VerboseSecurity On
Maybe then you'll see more informations.
And how to debug zope part of authentication... You may possibly take a look at the sources of RemoteUserAuth. It is possibly something with that. Simplest debugging may be done by adding
print 'hello - im here!'
statements to the RemoteUserAuth code, and then running Zope with ./runzope (or runzope.bat on Windows). It doesn't detach from console and you'll see your printed statements. You may also use pdb - python debugger:
http://plone.org/documentation/how-to/using-pdb
However, when I try to access the ZMI via apache (http://myhost.com/manage which gets rewritten to http://localhost:8080/manage in apache proxy), I am prompted via basic auth for username and password, and anything I enter is rejected. Typically apache rewrites make use of VirtualHostMonster in Zope but your's how to uses different syntax.
The expected behavior is that mod_fba sets an authorization header with a username from pubcookie and sends it to zope with a page request for the ZMI. I don't understand why this SSO is about ZMI? ZMI is Zope Management Interface - so it is rather for managers/programmers, not for typical users. Strange.
We've sucessfully implemented SSO solution with CAS. There are nice plugins for Zope and Plone to deal with this.
-- Maciej Wisniowski