Ronan BARZIC wrote:
Hello,
I've a problem with Zope 1.0.9 (source distribution) with authentication. I'am using Apache 1.2.6 from a RedHat 5.1 distribution with the standard configuration files plus the the rewrite Rule in httpd.conf : RewriteEngine on RewriteLog /etc/httpd/logs/rewrite.log RewriteLogLevel 9 RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope/(.*) /home/httpd/cgi-bin/Zope.cgi/$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
For testing, i've installed Zope under the /home/httpd/Zope-1.9.0-src and a link with /home/hhtpd/Zope.lnk Zope.cgi is in the cgi-bin directory
The URL //mymachine/cgi-bin/Zope.cgi gives the welcome page The URL //mymachine/cgi-bin/Zope.cgi/manage asks the superuser name and the password but it faills
The URL //mymachine/Zope/manage asks the superuser name and the password but it faills. The log for the rewrite rule seems to be correct (and it works...)
You ran into the same problem I did. A standard build of apache won't cut it. Apache normally doesn't provide the HTTP_AUTHORIZATION evironment variable to cgis because it can potentially be exploited by malicious cgis (on your server). From src/main/util_script.c: /* * You really don't want to disable this check, since it leaves you * wide open to CGIs stealing passwords and people viewing them * in the environment with "ps -e". But, if you must... */ In our case, in order for zope to do authentication, it NEEDS the HTTP_AUTHORIZATION environment variable to check the password against it's own authentication "database". So if you trust the cgis are running on your server (you should if this is any kind of "production" server), and you don't have users you don't trust on the machine (you shouldn't) typing 'ps -e' (so they can see the environment of the cgi process), this isn't a problem. I presume that if you are using the python/bobo/apache plugin, this mightn't be a problem, but I don't know for sure. If you are using ZopeHTTPServer, I presume there shouldn't be any problem there either. There is probably a FAQ entry on this somewhere, but what you do is get the Apache sourcecode and configure it. Then edit src/main/Makefile and add -DSECURITY_HOLE_PASS_AUTHORIZATION to CFLAGS and build, and it should work. Alternatively, since you are using Linux, you could just get the binaries. Cheers, Drew P.S. Didn't mean to scare anybody. :) -- Drew Csillag Python and Linux Weenie Senior Engineer "Walking on water and developing software (on time) StarMedia Network from a specification is easy... (212)-548-9693 If both are frozen"