since you already use apache a set of clever rewrite rules in your apache configuration would be able to pick up on and redirect accesses to the retsricted areas to ensure they go over https. jens On Thursday, June 20, 2002, at 04:33 , Paul Horbal wrote:
Hi everyone,
I'm wondering what experiences people have had trying to implement digest authentication or SSL on their Zope sites.
Here's my situation:
I have ZServer proxied by Apache. Areas of our site are password-protected and require a valid user. Unfortunately, this authentication is Basic and cleartext usernames/passwords are sent. Obviously less than ideal. At present, acceptable, since our website user database is independent from our actual user accounts for the lab in which we work. Some day, I would like to get Zope to use LDAP for user authentication - but there is no way that could happen unless authentication for the website was seriously secure. There is some third-party IP in our lab and NDAs aside, they generally don't like to find gaping security holes in our system.
I understand Digest has some definite shortcomings and to my knowledge, isn't even implemented in Zope. But with HTTPS, I have another problem. Specifically, not all of the site is password-protected. I don't want every visitor using HTTPS to browse the site. I only want secure authentication for password-protected areas of the site. So when a user goes to www.mysite.com/private, he will be authenticated securely.
Any suggestions or pointers would be much appreciated...
thanks Paul.
-- horbal@atips.ca
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )