Jake Latham wrote at 2003-9-23 09:32 -0600:
... So, we had two ideas: First, is it possible to limit access of certain accounts based on an IP address? We should only ever be logging in as admins from our internal machines, so any external non-us IP would be automatically rejected.
Zope allows you to restrict logins based on IP/domain information. Note, however, that IP information can be forged without too much difficulties (--> maskerading).
Second, we had thought about setting up Zope & Apache to use SSL, but that seemed like a bit of overkill for a relatively simple desire.
Should I just go the SSL route, or is there a more obvious solution we're overlooking to protecting our more privileged accounts?
"https" will slow your site down. If this is not a problem, go this way. I plan to implement a post-authentication-hook for Zope. It will try to acquire an object "post_authentication_hook" and call it, if successful. The object (e.g. a Python Script) can then perform arbitrary checks, e.g. ensure that the current request came via "https" or is not proxied via Apache when the published object require a "Manager" role. Up to now, it is just a plan; there is no time table yet... Dieter