To achieve genuine security, you have to do something about the 'password in the clear' problem. part 1) With basic auth (the zope default), the user's name and password are sent in the clear with every request. part 2) With form based login (login manager, zmc), the user's name and password are sent in the clear when the login form is submitted. Solution: Have to go with form based login that uses ssl to send user's name and password. Unfortunately, in my experience, ssl support for zope is only thrid party (no offense to Mr. Siong or Mr. Bickers, thanks for your work so far) and hard to integrate, when this is really a core requirement. I think this is something that DC has to handle. Bill. On Mon, 19 Mar 2001, Bernd Worsch wrote:
It's some time ago, the issue of denying roles showed up.
I'd really wish to see this implemented, so has this problem made it into the collector? (The feature index seems broken to me at the moment)
Thanks to John for pointing out what i thought :) Bernd
On Thu, Mar 01, 2001 at 10:00:13AM +0000, Chris Withers wrote:
"John R. Daily" wrote:
That is precisely what is wrong with the model. To achieve manageable and genuine security, I want to acquire _all_ permissions and specifically deny those roles to which the inherited permissions may not be correct.
I'd agree with this, but I don't know how important it is.
I'd suggest chucking it in the colelctor asa Featuer Request.
cheers,
Chris
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
--
-----Bernd Worsch-----------bernd.worsch@frontsite.de--------
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )