RE: [Zope] Access Permission by Domain and without Login?
I asked for suggestions on restricting access to otherwise anonymously-accessable pages and methods. It has been pointed out to me off line that that restriction by domain *name* can have security problems. But my terminology was misleading, becaues that is not quite what I had in mind. I am asking about restriction by specific IP number ranges, like 140.90.*.*, not by domain *name*. Cheers, Tom P
For a Zope 2.7/Plone 2 site, I would like to restrict (otherwise) anonymous access to certain specific pages or methods to people making the request from specific domains. I know that I can specify a domain for a particular user, but I want this to apply to anyone, without any special per-user configuration, and without requiring a login.
Also I want to do this without putting Zope behind Apache or any other proxy, if this is possible.
I don't recall seeing this discussed. Does anyone have suggestions as to how to accomplish this?
Those can be spoofed as well. There's no increased security there. jens On Jun 14, 2004, at 10:57 AM, Passin, Tom wrote:
I asked for suggestions on restricting access to otherwise anonymously-accessable pages and methods. It has been pointed out to me off line that that restriction by domain *name* can have security problems. But my terminology was misleading, becaues that is not quite what I had in mind.
I am asking about restriction by specific IP number ranges, like 140.90.*.*, not by domain *name*.
Cheers,
Tom P
For a Zope 2.7/Plone 2 site, I would like to restrict (otherwise) anonymous access to certain specific pages or methods to people making the request from specific domains. I know that I can specify a domain for a particular user, but I want this to apply to anyone, without any special per-user configuration, and without requiring a login.
Also I want to do this without putting Zope behind Apache or any other proxy, if this is possible.
I don't recall seeing this discussed. Does anyone have suggestions as to how to accomplish this?
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Jens Vagelpohl wrote:
Those can be spoofed as well. There's no increased security there.
Hello Jens is the domain filtering in zope going by the client ip in the http header ? i assume you mean the clientip value in the http header can be set to any value without affecting the actual IP it originated from ? if thats the case then domain filtering in zope is not useful in my opinion. please point out fallacies in my reasoning if any :) ty sathya
jens
On Jun 14, 2004, at 10:57 AM, Passin, Tom wrote:
I asked for suggestions on restricting access to otherwise anonymously-accessable pages and methods. It has been pointed out to me off line that that restriction by domain *name* can have security problems. But my terminology was misleading, becaues that is not quite what I had in mind.
I am asking about restriction by specific IP number ranges, like 140.90.*.*, not by domain *name*.
Cheers,
Tom P
For a Zope 2.7/Plone 2 site, I would like to restrict (otherwise) anonymous access to certain specific pages or methods to people making the request from specific domains. I know that I can specify a domain for a particular user, but I want this to apply to anyone, without any special per-user configuration, and without requiring a login.
Also I want to do this without putting Zope behind Apache or any other proxy, if this is possible.
I don't recall seeing this discussed. Does anyone have suggestions as to how to accomplish this?
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
sathya wrote at 2004-6-14 10:35 -0500:
is the domain filtering in zope going by the client ip in the http header ?
i assume you mean the clientip value in the http header can be set to any value without affecting the actual IP it originated from ?
if thats the case then domain filtering in zope is not useful in my opinion. please point out fallacies in my reasoning if any :)
I expect (though did not check) that the HTTP header "REMOTE_ADDR" is set by the Web server to the ip of the incoming socket connection -- independent of any "REMOTE_ADDR" that might be present in the request. Nevertheless, this ip might quite easily have been forged. -- Dieter
participants (4)
-
Dieter Maurer -
Jens Vagelpohl -
Passin, Tom -
sathya