From: zope-bounces@zope.org [mailto:zope-bounces@zope.org] On
Those can be spoofed as well. There's no increased security there.
Yes, but... In this case the customer wants (or thinks it is wanted) this kind of capability, and the security does not have to be the very highest. Many web servers let you set this kind of restriction. Of course, having authenticated users be members of groups with the restricted role is more secure, but it does require that each person join and be manually assigned to the select group. The scenario here is that anyone coming in from, say, noaa.gov, would be allowed to access a form that is not supposed to be open to the general public. Most of these people would not be members of the site. If a few determined people hacked up their packets with forged addresses and thereby got to the form, no harm would be done. The only reason for the restriction is that the client does not want to have to sort through spurious submissions from people who are not involved with the process. Cheers, Tom P
On Jun 14, 2004, at 10:57 AM, Passin, Tom wrote:
I asked for suggestions on restricting access to otherwise anonymously-accessable pages and methods. It has been pointed out to me off line that that restriction by domain *name* can have security problems. But my terminology was misleading, becaues that is not quite what I had in mind.
I am asking about restriction by specific IP number ranges, like 140.90.*.*, not by domain *name*.
Cheers,
Tom P
For a Zope 2.7/Plone 2 site, I would like to restrict (otherwise) anonymous access to certain specific pages or
methods to
people making the request from specific domains. I know that I can specify a domain for a particular user, but I want this to apply to anyone, without any special per-user configuration, and without requiring a login.
Also I want to do this without putting Zope behind Apache or any other proxy, if this is possible.
I don't recall seeing this discussed. Does anyone have suggestions as to how to accomplish this?
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zo> pe-announce
http://mail.zope.org/mailman/listinfo/zope-dev ) _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )