On Mon, 2003-12-01 at 21:25, Joshua Newman wrote:
I've installed SSLAbsoluteURL but it seems to demand that I use links of a certain format: can't use: (end brackets removed for html email readers) A HREF="/Services/Support/Zope">Zope Support</A
but rather must use:
A HREF="<dtml-var "Services.Support.Zope" url>">Zope Support</A A HREF="<dtml-var "Zope" url>">Zope Support</A or this: A HREF="&dtml.url-Zope;">Zope Support</A
I haven't used that package... but at some level, you're just returning a string with https:// in it. The client neither knows nor cares how it was generated. There are plenty of ways you could wrap your hrefs in something that checked which protocol the link should be served under. Say, for example, you had an object called http_mode that you put at the root of any hierarchy that needed a particular http/https value set. Then you could pass link hrefs to something like: --- split_url = my_url.split(':') split_url[0] = context.http_mode() return ':'.join(split_url) ---
3. If I remove the 's' from 'https' after following one of my encrypted links I can still get the page unencrypted (i.e.http://...). Is there any way to stop this? It seems to defeat the purpose of encryption.
This is something that Apache's much better at, honestly. But if you want a pure ZServer solution and had already set up those http_mode objects used above, you could easily insert a check that will break non-conforming requests, eg: ---- if context.REQUEST.URL.split(':')[0] != context.http_mode(): raise RuntimeError, 'This resource may only be viewed with https' ---- HTH, Dylan