I'm hoping to setup a Zope
(Plone) site on our corporate intranet. We have an existing system by
which we validate users based on a corporate user database. The way things
usually work is that the web servers themselves make sure that users are
validated before they can access content. In summary, the web servers act
as a gate keeper.
There are two issues
here. The first is authentication. I'm not that concerned about the
authentication at the moment. I'm going to assume, for the
moment, that Zope will operate behind one of these web servers. The
other issue is handling the users once they are authenticated. I'd like to
know if something like the following scenario is possible:
1) The web server gets a
request for something on my site.
2) The web server first
requests authentication (the Zope site hasn't even been accessed at this
point).
3) Authentication is
successful and the request is passed on to my Zope site (e.g. as a CGI
request)
At this point, Zope can
find out who the user is (i.e. their identification/username) since it is
encoded in a cookie (I guess). Is it possible to setup a user policy as
follows:
Any one who has
successfully passed the authentication stage is treated as an anonymous
user
...unless...
Their username (as conveyed
by the web server authentication process) matches a valid user on the Zope
system in which case Zope treats them as that user.
The key elements to making
this seamless are:
1) Once authenticated,
the user is not prompted (by the Zope site) for their username or
password.
2) If a user wants to
"join" the Zope site, they shouldn't have to supply a password for
authentication. It should be sufficient that they have already been
authenticated. Just asking to join should make them a Zope
user.
Now, I'm wondering what are
the essential elements of implementing such a scheme?
I'm relatively new to Zope
so please speak slowly and feel free to include pedantic details.
:-)
Thanks.
--
Mike