Bill, There is another answer to part 2, use javascript to create an md5 hash of the user,somesecret,password. This can be sent instead of the password and then validated on the server side, since the username and md5 hash is all that is sent across the wire, it should be a lot more secure than plain text. I have a library for javascript md5 if anyone is interested (which,btw, I 'stole' from the PHPlib ;) ). Phil phil.harris@zope.co.uk ----- Original Message ----- From: "Bill Welch" <bill@carbonecho.com> To: <zope@zope.org> Sent: Monday, March 19, 2001 5:07 PM Subject: Re: [Zope] Zope security management
To achieve genuine security, you have to do something about the 'password in the clear' problem.
part 1) With basic auth (the zope default), the user's name and password are sent in the clear with every request.
part 2) With form based login (login manager, zmc), the user's name and password are sent in the clear when the login form is submitted.
Solution: Have to go with form based login that uses ssl to send user's name and password. Unfortunately, in my experience, ssl support for zope is only thrid party (no offense to Mr. Siong or Mr. Bickers, thanks for your work so far) and hard to integrate, when this is really a core requirement.
I think this is something that DC has to handle.
Bill.
On Mon, 19 Mar 2001, Bernd Worsch wrote:
It's some time ago, the issue of denying roles showed up.
I'd really wish to see this implemented, so has this problem made it into the collector? (The feature index seems broken to me at the moment)
Thanks to John for pointing out what i thought :) Bernd
On Thu, Mar 01, 2001 at 10:00:13AM +0000, Chris Withers wrote:
"John R. Daily" wrote:
That is precisely what is wrong with the model. To achieve
manageable
and genuine security, I want to acquire _all_ permissions and specifically deny those roles to which the inherited permissions may not be correct.
I'd agree with this, but I don't know how important it is.
I'd suggest chucking it in the colelctor asa Featuer Request.
cheers,
Chris
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
--
-----Bernd Worsch-----------bernd.worsch@frontsite.de--------
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )