Just a quick question: When you log on as a user in a Zope, is it possible to authenticate users via a secure connection easily? (via SSL, aka. https). I find it a bit discomforting when people can monitor the network and sniff the passwords used to access the folders of my users. (I know the superuser password is relatively safe because of the IP-check, but ideally this should also be SSL encrypted. Thanks in advance, Alexander Limi mp3.no
You, nead to use Apache as secure webserver, serving Zope through FastCGI och PCGI. Zope in it self doesn't support SSL. If anyone want to try to change that can have a look at http://sites.inka.de/ms/python/pyca/ <http://sites.inka.de/ms/python/pyca/>. Regards, Johan Carlsson
Just a quick question:
When you log on as a user in a Zope, is it possible to authenticate users via a secure connection easily? (via SSL, aka. https).
I find it a bit discomforting when people can monitor the network and sniff the passwords used to access the folders of my users. (I know the superuser password is relatively safe because of the IP-check, but ideally this should also be SSL encrypted.
Thanks in advance,
Alexander Limi mp3.no
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope No cross posts or HTML encoding! (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Alexander Limi wrote:
Just a quick question:
Yes of course. :-)
When you log on as a user in a Zope, is it possible to authenticate users via a secure connection easily? (via SSL, aka. https).
Of course, you can run Zope behind Apache-SSL, Netscape, etc. We have several customers doing this. Then you might just write a small rule that prohibits: .*/manage for non-secure connections.
I find it a bit discomforting when people can monitor the network and sniff the passwords used to access the folders of my users. (I know the superuser password is relatively safe because of the IP-check, but ideally this should also be SSL encrypted.
Alas, the world is still *very* antiquated for identification and authorization on the web. We can't even get uniform digest auth :/ The only real advantage would be to go to Client Certs, and we could talk some about this. Chris
participants (3)
-
Alexander Limi -
Christopher Petrilli -
Johan Carlsson