major problems placing authentication on an extranet site-security flaw?
Hi I have major problems here trying to set-up authentication over a whole Plone site using Zope. Using my superuser account I've navigated to the site root page in the ZMI where it lists all the site pages and objects etc. I've then gone into security, scrolled down to the bottom and for the 'View' option I have tried all combinations of 'Manager', 'Authenticated' and 'Aquire'. It simply won't work. I get a pop-up box but the superuser manager pass doesn't work. Then, even with 'authenticated' checked and using a different browser to the one I'm using for the management screen, clicking return on the login box over and over again eventually produces the front page sans CSS. It shouldn't do this and when the extranet is live, if the public were to be able to view it this would be a serious risk. I've set view to authenticated only but it still lets me in. I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work. Very frustrated. -- Michael
On 8 Feb 2006, at 16:48, michael nt milne wrote:
I get a pop-up box but the superuser manager pass doesn't work.
If the superuser password is indeed set up correctly then this is a fault of the user folder. There are some bad implementations out that that do not respect the superuser/emergency user.
Then, even with 'authenticated' checked and using a different browser to the one I'm using for the management screen, clicking return on the login box over and over again eventually produces the front page sans CSS. It shouldn't do this and when the extranet is live, if the public were to be able to view it this would be a serious risk. I've set view to authenticated only but it still lets me in.
I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work.
I'll be more explicit this time: You don't know enough to make blanket statements like this. From your emails it is obvious that you don't know much at all about the way Zope security works. You need to get a clue about what you're doing first. From the lack of similar complaints from the many Zope and Plone users out there and the lack of interest (meaning lack of responses to your emails) the only logical conclusion is that the fault is on your end. Since this is a Plone site I would suggest you move this discussion to a Plone-related mailing list. jens
On 08.02.06 16:48:08, michael nt milne wrote:
I have major problems here trying to set-up authentication over a whole Plone site using Zope.
Start simple, start up a plain Zope, create a ZPT or DTML and change it's view right. See what happens.
I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work.
Have you read the zope documentation on how security works? Have you checked what happens when you access the Plone-url "behind the scenes"? Andreas -- You seek to shield those you love and you like the role of the provider.
michael nt milne wrote at 2006-2-8 16:48 +0000:
I have major problems here trying to set-up authentication over a whole Plone site using Zope. Using my superuser account I've navigated to the site root page in the ZMI where it lists all the site pages and objects etc. I've then gone into security, scrolled down to the bottom and for the 'View' option I have tried all combinations of 'Manager', 'Authenticated' and 'Aquire'. It simply won't work.
You can use "VerboseSecurity" to analyse difficult authorization problems. "VerboseSecurity" is an integral part of Zope from 2.8 on. Previously, it has been a separate product. -- Dieter
Thanks for the advice. I'll have another look at the security settings but this is undoubtedly an issue. The superuser password not working is the main one etc. But ultimately my comments on usabiltity should be taken on board because Zope security is overly complex. On 2/8/06, Dieter Maurer <dieter@handshake.de> wrote:
michael nt milne wrote at 2006-2-8 16:48 +0000:
I have major problems here trying to set-up authentication over a whole Plone site using Zope. Using my superuser account I've navigated to the site root page in the ZMI where it lists all the site pages and objects etc. I've then gone into security, scrolled down to the bottom and for the 'View' option I have tried all combinations of 'Manager', 'Authenticated' and 'Aquire'. It simply won't work.
You can use "VerboseSecurity" to analyse difficult authorization problems.
"VerboseSecurity" is an integral part of Zope from 2.8 on. Previously, it has been a separate product.
-- Dieter
-- Michael
I've just tried this on a completely different server. I also made sure that 'access contents information' was set to 'manager' and 'authenticated'. The same thing happens. The main password doesn't work and also you still get the main page contents if you keep cancelling or pressing return on the login box. Complete nightmare. This was the reason I wanted to go with Apache security as it's more robust. Michael On 2/8/06, michael nt milne <michael.milne@gmail.com> wrote:
Thanks for the advice. I'll have another look at the security settings but this is undoubtedly an issue. The superuser password not working is the main one etc. But ultimately my comments on usabiltity should be taken on board because Zope security is overly complex.
On 2/8/06, Dieter Maurer <dieter@handshake.de> wrote:
michael nt milne wrote at 2006-2-8 16:48 +0000:
I have major problems here trying to set-up authentication over a whole Plone site using Zope. Using my superuser account I've navigated to the site root page in the ZMI where it lists all the site pages and objects etc. I've then gone into security, scrolled down to the bottom and for the 'View' option I have tried all combinations of 'Manager', 'Authenticated' and 'Aquire'. It simply won't work.
You can use "VerboseSecurity" to analyse difficult authorization problems.
"VerboseSecurity" is an integral part of Zope from 2.8 on. Previously, it has been a separate product.
-- Dieter
-- Michael
-- Michael
On 08.02.06 21:25:33, michael nt milne wrote:
I've just tried this on a completely different server. I also made sure that 'access contents information' was set to 'manager' and 'authenticated'.
Wow, you read the zope-book on security, setup a new zope on a server and checked this in just 10 minutes? Forgive me if I don't believe this.
The same thing happens. The main password doesn't work and also you still get the main page contents if you keep cancelling or pressing return on the login box.
So no Plone this time? What does VerboseSecurity tell you? Do you have to login to get access to the ZMI? Have you tried to allow non-authenticated access to the ZMI?
Complete nightmare. This was the reason I wanted to go with Apache security as it's more robust.
No it's not, it's not less robust either, at least that's what I experienced until now. Andreas -- You can rent this space for only $5 a week.
I printed out the section on Zope security quite a while ago and read it. So it's not just in the last ten minutes. I haven't tried verbosesecurity just yet as I haven't had the time. Basically, the security should work without that. On 2/8/06, Andreas Pakulat <apaku@gmx.de> wrote:
On 08.02.06 21:25:33, michael nt milne wrote:
I've just tried this on a completely different server. I also made sure that 'access contents information' was set to 'manager' and 'authenticated'.
Wow, you read the zope-book on security, setup a new zope on a server and checked this in just 10 minutes? Forgive me if I don't believe this.
The same thing happens. The main password doesn't work and also you still get the main page contents if you keep cancelling or pressing return on the login box.
So no Plone this time? What does VerboseSecurity tell you? Do you have to login to get access to the ZMI? Have you tried to allow non-authenticated access to the ZMI?
Complete nightmare. This was the reason I wanted to go with Apache security as it's more robust.
No it's not, it's not less robust either, at least that's what I experienced until now.
Andreas
-- You can rent this space for only $5 a week. _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael
michael nt milne schrieb:
Thanks for the advice. I'll have another look at the security settings but this is undoubtedly an issue. The superuser password not working is the main one etc. But ultimately my comments on usabiltity should be taken on board because Zope security is overly complex.
Actually its not that hard - and its just fine grained - a very strength of zope. You can use VerboseSecurity to debug your security issues. Did you read the chapter about users and security in the zope book? Regards Tino
Of course I did. Why on earth would you be able to view a front page of a site when it is labelled as 'authenticated' and also as 'manager' ? just by pressing cancel or return a few times. Big security flaw I'm sorry. Also superuser passwords don't work when security is set up and I've tried this on a couple of set-ups. And this is apart from the usability. On 2/8/06, Tino Wildenhain <tino@wildenhain.de> wrote:
michael nt milne schrieb:
Thanks for the advice. I'll have another look at the security settings but this is undoubtedly an issue. The superuser password not working is the main one etc. But ultimately my comments on usabiltity should be taken on board because Zope security is overly complex.
Actually its not that hard - and its just fine grained - a very strength of zope. You can use VerboseSecurity to debug your security issues.
Did you read the chapter about users and security in the zope book?
Regards Tino
-- Michael
michael nt milne schrieb:
Of course I did. Why on earth would you be able to view a front page of a site when it is labelled as 'authenticated' and also as 'manager' ? just by pressing cancel or return a few times. Big security flaw I'm sorry. Also superuser passwords don't work when security is set up and I've tried this on a couple of set-ups. And this is apart from the usability.
I dont get what you tried... many of us are doing it and it just works. Much easier as with apache I say. Apropos getting and trying... could you try to set your mail-client to text only and quote like all others do? This would make it easier to read what you type :-) You only remove [ ] Acquire for View and assign it to Authenticated or better to whatever role your users should belong. Canceling Authentication requester will not show you contents but the standard_error_page - unless you have a broken useragent (e.g. Internetexplorer) with horrible cache settings and did view the authenticated page before. Regards Tino Wildenhain
Sorry but this is not my experience and I have experimented. Am using gmail basic setting which I like. On 2/8/06, Tino Wildenhain <tino@wildenhain.de> wrote:
michael nt milne schrieb:
Of course I did. Why on earth would you be able to view a front page of a site when it is labelled as 'authenticated' and also as 'manager' ? just by pressing cancel or return a few times. Big security flaw I'm sorry. Also superuser passwords don't work when security is set up and I've tried this on a couple of set-ups. And this is apart from the usability.
I dont get what you tried... many of us are doing it and it just works. Much easier as with apache I say. Apropos getting and trying... could you try to set your mail-client to text only and quote like all others do? This would make it easier to read what you type :-)
You only remove [ ] Acquire for View and assign it to Authenticated or better to whatever role your users should belong.
Canceling Authentication requester will not show you contents but the standard_error_page - unless you have a broken useragent (e.g. Internetexplorer) with horrible cache settings and did view the authenticated page before.
Regards Tino Wildenhain
-- Michael
michael nt milne schrieb:
Sorry but this is not my experience and I have experimented. Am using gmail basic setting which I like.
Be sure mailinglist people dont like it :-) Actually it should not bee too hard to 1) create a role, lets call it "Guests" (in / ) 2) create a user: guest (in /acl_folder) with role "Guests" 3) remove [ ] acquire for "View" and if you want "Access Contents Information" and make a [x] for Manager and [x] Guests thats it. Go with a new browser (closed and reopen if you want) to / of your site and you will get the standard_error_page with "Unauthorized" if you "cancel" the login box. You can customize standard_error_page if you want. How can this be easier with Apache? I'd like to see :-) (Yes, I know Apache quite good) Regards Tino
On 08.02.06 21:38:26, michael nt milne wrote:
Of course I did. Why on earth would you be able to view a front page of a site when it is labelled as 'authenticated' and also as 'manager' ? just by pressing cancel or return a few times.
I just checked that with a plain Zope's index_html. I cannot view localhost:8080/ when I change the security setting of index_html to allow View only for authenticated. However I can view it when I authenticate with the initial user information. Now the same thing with a plone site, removed the view-right from front_page I get a screen telling me to authenticate. Not the "box" because Plone normally uses cookie-auth, you should be able to change that in the UserFolder. If I use the initial-user with the cookie-based-form I can see the plone site. Then I removed the View right from the plone-site-object for anonymous and when I access localhost:8080/p1 I get the Basic-HTTP-Login Box, giving it the initial-user-info it lets me view the front_page.
Big security flaw I'm sorry.
I wonder why you are the only one experiencing this... Maybe because the error is on your side (or sits in front of your monitor)? And not Zope.
Also superuser passwords don't work when security is set up and I've tried this on a couple of set-ups. And this is apart from the usability.
What do you mean with superuser? There is no superuser, you have an initial user but that's not a user you'd normally use to login. You add new Users in the user-folder. And what usability problem are you now talking about? Andreas -- Reply hazy, ask again later.
michael nt milne wrote:
I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work.
Yes. But security is hard on any capable system, with users, groups, objects, applications all having security attributes and all those things inheriting and interacting in unexpected ways. Netware and Windows are the same. As for 'doesn't even seem to work', that may be true (welcome to Open Source!), but you may 'just' be experiencing interactions between Zope security (hideously complex, etc) and Plone security (also complex). The interactions between these systems are basically beyond ordinary humans - or, possibly, just don't work. It may be most sensible to try to hand off security to another system entirely and let Zope/Plone share/inherit it - as your original intention. If it's an extranet, can you use the surrounding network's system? Pluggable authentication can use Windows or LDAP (or, perhaps, other) authentication to provide access to a Zope/Plone, so visitors log in to your network rather than to the Zope site, and the Zope/Plone can inherit whatever the domain authentication system knows about them. My other advice is to try not to touch ZMI security screens: if you're using Plone you should try to set up the security you need in Plone as far as possible. You really don't need Plone and Zope trying to do different things at the same time: it's a fragile and complex marriage and the partners all too easily end up stalking out of the room. (this also suggests you might have better luck on the Plone discussion lists, eg nntp://gmane.comp.web.zope.plone.user) best Mark Barratt
Mark Barratt schrieb:
michael nt milne wrote:
...
My other advice is to try not to touch ZMI security screens: if you're using Plone you should try to set up the security you need in Plone as
Ah yes, things are a bit different when plone comes in. Then Plone documentation should be consulted, of course. Regards Tino
michael nt milne wrote:
I have major problems here trying to set-up authentication over a whole Plone site using Zope. Using my superuser account I've navigated to the site root page in the ZMI where it lists all the site pages and objects etc. I've then gone into security, scrolled down to the bottom and for the 'View' option I have tried all combinations of 'Manager', 'Authenticated' and 'Aquire'. It simply won't work.
You're simply doing it wrong then ;-)
I get a pop-up box but the superuser manager pass doesn't work.
What does it say when you hit cancel? have you tried enabling verbose security in zope.conf?
I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work.
Then for gods sake stop trying to use Zope and go find some toy system you do understand!
Very frustrated.
So are we, quit bugging us until you've learned a bit more about how things work, started with something simple, or just plain raised your IQ a little ;-) Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Look I'm having genuine issues here and to be honest there's no need to become personally insulting. I've just set-up Plone on an Windows server with SSL Apache and multiple virtual hosts so don't take kindly to a few of these remarks. The last piece of my jigsaw is authenication which is becoming an issue. On 2/8/06, Chris Withers <chris@simplistix.co.uk> wrote:
michael nt milne wrote:
I have major problems here trying to set-up authentication over a whole Plone site using Zope. Using my superuser account I've navigated to the site root page in the ZMI where it lists all the site pages and objects etc. I've then gone into security, scrolled down to the bottom and for the 'View' option I have tried all combinations of 'Manager', 'Authenticated' and 'Aquire'. It simply won't work.
You're simply doing it wrong then ;-)
I get a pop-up box but the superuser manager pass doesn't work.
What does it say when you hit cancel? have you tried enabling verbose security in zope.conf?
I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work.
Then for gods sake stop trying to use Zope and go find some toy system you do understand!
Very frustrated.
So are we, quit bugging us until you've learned a bit more about how things work, started with something simple, or just plain raised your IQ a little ;-)
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
-- Michael
michael nt milne wrote:
Look I'm having genuine issues here and to be honest there's no need to become personally insulting.
And what do you think you're doing by continuously coming back with phantom problems that no-one else experiences because they don't exist? And how about your insistence on having your mail setting the way _you_ like it rather than how the rest of the group, who you expect to help you for free, might appreciate them?
I've just set-up Plone on an Windows server with SSL Apache and multiple virtual hosts so don't take kindly to a few of these remarks.
Well, you obviously _haven't_ set these up correctly or you wouldn't be having these problems. I've set up many instances of Zope on Windows over the years, many of them behind Apache, many of them CMF based and some even Plohn, and I've never had the problems you're whining about. I _know_ I'm not in the minority here. My suggestion would be to go to a Plohn list that might be more forgiving in putting up with lazy incompetent people who just don't seem to get it. Either that or just give up on Zope/Plohn entirely and go somewhere else... Failing that, you could always pay someone competent to configure your system for you *grinz* Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Sorry but the SSL and virtual hosting through Apache is all working fine. It's only the authentication bit that I'm having an issue with. Should be easy compared to what I've configured previously. And isn't it Plone? :-) On 2/9/06, Chris Withers <chris@simplistix.co.uk> wrote:
michael nt milne wrote:
Look I'm having genuine issues here and to be honest there's no need to become personally insulting.
And what do you think you're doing by continuously coming back with phantom problems that no-one else experiences because they don't exist?
And how about your insistence on having your mail setting the way _you_ like it rather than how the rest of the group, who you expect to help you for free, might appreciate them?
I've just set-up Plone on an Windows server with SSL Apache and multiple virtual hosts so don't take kindly to a few of these remarks.
Well, you obviously _haven't_ set these up correctly or you wouldn't be having these problems. I've set up many instances of Zope on Windows over the years, many of them behind Apache, many of them CMF based and some even Plohn, and I've never had the problems you're whining about.
I _know_ I'm not in the minority here.
My suggestion would be to go to a Plohn list that might be more forgiving in putting up with lazy incompetent people who just don't seem to get it. Either that or just give up on Zope/Plohn entirely and go somewhere else...
Failing that, you could always pay someone competent to configure your system for you *grinz*
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
-- Michael
michael nt milne wrote:
Sorry but the SSL and virtual hosting through Apache is all working fine. It's only the authentication bit that I'm having an issue with. Should be easy compared to what I've configured previously.
Yeahright, that gives some idea of the lack of understanding you have...
And isn't it Plone? :-)
No, it's Plohn, as in "Oh my god, I can't believe how much this is hurting" :-P Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Over and out on this one from me and thanks for all your help.... Sorry but SSL over virtual hosts *is* more involved that setting up a basic password protect On 2/9/06, Chris Withers <chris@simplistix.co.uk> wrote:
michael nt milne wrote:
Sorry but the SSL and virtual hosting through Apache is all working fine. It's only the authentication bit that I'm having an issue with. Should be easy compared to what I've configured previously.
Yeahright, that gives some idea of the lack of understanding you have...
And isn't it Plone? :-)
No, it's Plohn, as in "Oh my god, I can't believe how much this is hurting" :-P
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
-- Michael
michael nt milne wrote:
Over and out on this one from me
You promise? ;-) Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Chris Withers wrote:
michael nt milne wrote:
Over and out on this one from me
You promise? ;-)
Chris
I think Tino made the key suggestion earlier on: log out of the ZMI, close your browser, restart it, clear the cache, clear any saved passwords, try to view the page in question and - if your settings are correct - get prompted to log by whichever authentication mechanism you chose to implement. If you cancel out and are able to view the page, you made a configuration mistake somewhere. Find it, fix it - and try again. This has become one of the more hilarious threads I've read in a long time. I suggest submitting Michael's name to alt.usenet.kooks for consideration as KotM. Norbert
Well I said it was over and out but I have to respond to this latest post. I appreciate the help here and will be trying out some of the suggestions. Basically though, Zope permissions and security could be made a lot more usable. It's far too technically focused and this is the opinion of a few others as well. The whole ZMI interface could be put through a usability re-design to be honest and that's not even to comtemplate the security areas. I have a few clients, who I have built sites for using Plone and on showing them the ZMI they have re-coiled in absolute horror. Now obviously Plone is trying to bring more and more features within its own interface, which is good as it's more usable. However many things still remain. Most of my clients are able to use the Plone editing tools and interfaces but can't at all get their heads round the ZMI. I would guess that changing interfaces doesn't help but there you go. Glad you feel entertained Norbert. I have been as well and at the same time have made quite a bit of progress. Cheers. On 2/9/06, Norbert Marrale <norbert@vsmpro.com> wrote:
Chris Withers wrote:
michael nt milne wrote:
Over and out on this one from me
You promise? ;-)
Chris
I think Tino made the key suggestion earlier on: log out of the ZMI, close your browser, restart it, clear the cache, clear any saved passwords, try to view the page in question and - if your settings are correct - get prompted to log by whichever authentication mechanism you chose to implement. If you cancel out and are able to view the page, you made a configuration mistake somewhere. Find it, fix it - and try again.
This has become one of the more hilarious threads I've read in a long time. I suggest submitting Michael's name to alt.usenet.kooks for consideration as KotM.
Norbert
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael
michael nt milne wrote:
Well I said it was over and out but I have to respond to this latest post.
You liar!
Basically though, Zope permissions and security could be made a lot more usable.
Cool, we look forward to your documented proposal to dev.zope.org including implemented code on a branch with unit tests that satisfies all of Zope's potential users while maintaining complete security in all scenarios and providing a ui so perfect that even muppets could use it and not shoot themselves in the foot.
It's far too technically focused and this is the opinion of a few others as well.
A few other halfwits maybe...
The whole ZMI interface could be put through a usability re-design to be honest
Ah great, does that mean you're offering to finance this?
and that's not even to comtemplate the security areas.
I'm not sure you're qualified or capable of contemplating such areas ;-)
I have a few clients,
I pitty them, I really do...
who I have built sites for using Plone and on showing them the ZMI they have re-coiled in absolute horror.
Sure it wasn't just your cack-handed coding? ;-)
Now obviously Plone is trying to bring more and more features within its own interface, which is good as it's more usable.
Obiviously, it's why we all _love_ Plohn so _damn_ much *grinz*
However many things still remain.
Sadly, including you...
Most of my clients are able to use the Plone editing tools and interfaces but can't at all get their heads round the ZMI.
They shouldn't be going to the ZMI if you've done your job properly with the Plohn interface...
I would guess that changing interfaces doesn't help but there you go.
Guessing? Yay, just what you need from someone you're paying to develop something...
Glad you feel entertained Norbert. I have been as well and at the same time have made quite a bit of progress. Cheers.
Please god, leaves us alone... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
You liar!
I couldn't resist :-) You seem so entertained. Bit of sport and all that. I've spoken to many people on various lists and can confirm the feeling about usability on the ZMI etc. You call them 'halfwits'. That puts you on rather high ground and this attitude is obviously part of the problem. How come Plone's interface is so useable and a delight to work with? How was that financed?
who I have built sites for using Plone and on showing them the ZMI they have re-coiled in absolute horror.
Sure it wasn't just your cack-handed coding? ;-)
I haven't coded anything in the ZMI !
They shouldn't be going to the ZMI if you've done your job properly with the Plohn interface..
Wrong. There are many things you still have to do through the ZMI. Like changing the banner graphic on the site if you want to. Basic things like that.
Guessing? Yay, just what you need from someone you're paying to develop something...
Just a figure of speech in trying to be diplomatic. I shouldn't have bothered to be honest.
And as for the clients comment I'm not even going to go there. I have many highly satisfied clients. I hope you do as well but I doubt it with such an un-professional manner. Please don't post again or I will have to reply :-) ha On 2/10/06, Chris Withers <chris@simplistix.co.uk> wrote:
michael nt milne wrote:
Well I said it was over and out but I have to respond to this latest post.
You liar!
Basically though, Zope permissions and security could be made a lot more
usable.
Cool, we look forward to your documented proposal to dev.zope.org including implemented code on a branch with unit tests that satisfies all of Zope's potential users while maintaining complete security in all scenarios and providing a ui so perfect that even muppets could use it and not shoot themselves in the foot.
It's far too technically focused and this is the opinion of a few others as well.
A few other halfwits maybe...
The whole ZMI interface could be put through a usability re-design to be honest
Ah great, does that mean you're offering to finance this?
and that's not even to comtemplate the security areas.
I'm not sure you're qualified or capable of contemplating such areas ;-)
I have a few clients,
I pitty them, I really do...
who I have built sites for using Plone and on showing them the ZMI they have re-coiled in absolute horror.
Sure it wasn't just your cack-handed coding? ;-)
Now obviously Plone is trying to bring more and more features within its own interface, which is good as it's more usable.
Obiviously, it's why we all _love_ Plohn so _damn_ much *grinz*
However many things still remain.
Sadly, including you...
Most of my clients are able to use the Plone editing tools and interfaces but can't at all get their heads round the ZMI.
They shouldn't be going to the ZMI if you've done your job properly with the Plohn interface...
I would guess that changing interfaces doesn't help but there you go.
Guessing? Yay, just what you need from someone you're paying to develop something...
Glad you feel entertained Norbert. I have been as well and at the same time have made quite a bit of progress. Cheers.
Please god, leaves us alone...
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
-- Michael
On 2/10/06, michael nt milne <michael.milne@gmail.com> wrote:
I've spoken to many people on various lists and can confirm the feeling about usability on the ZMI etc. You call them 'halfwits'. That puts you on rather high ground and this attitude is obviously part of the problem.
1. By complaining about something that a lot of people do not find any problem with, YOU put yourself on a rather high ground compared to the people here who both created and use it. Suggestion: Don't complain about the software that you want help with, because it makes the people who wrote it pissed off. Quite simple, really. 2. I have myself held courses in how to use a CMS (EasyPublisher) where you did most everything through the ZMI for people with bother very little computer experience and a lot, and it was never a big usebility problem. That the ZMI has big useability problems is simply not true. You also claim that there are lot of people complainng that the ZMI has useability problems. Well, we are on all those mailing-lists, unless you have found some secret mailing lists for people who don't like Zope, so we know that there is in fact NOT a lot of complaints about this. When you claim that there are loads of people who say so, when there obviously isn't undermines your credbility and inclines people to not take you seriously. Suggestion: Don't make up facts and statements that is not true, don't invent people that doesn't exist. Don't say that X is generally accepted as a fact when it isn't. If you do that, people will call you a liar, and you don't want that. (Oh, and if you want an explanation about why a few people don't find the ZMI useable, it's because it's not "pretty", don't have flash graphics and such. People often confuse "prettyness" with "useability". ZMI is basic and well, ugly. It is however quite consistent and useable.) And the same goes for Zopes access control. It is in no way complicated or hard to understand. By starting early in the discussion with complaining about it, you just make people pissed off and get the discussion running away in the wrong direction. Don't do that.
How come Plone's interface is so useable and a delight to work with? How was that financed?
Because it's pretty? :-) -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/
I take the point that I approached this issue from the wrong standpoint and apologise for that. This was perhaps born out of a little frustration. I was never rude though. Also I feel that Plone has usabillity which sits above it's prettyness. It is a well designed interface graphically but also has very strong non graphical usability elements. On 2/10/06, Lennart Regebro <regebro@gmail.com> wrote:
On 2/10/06, michael nt milne <michael.milne@gmail.com> wrote:
I've spoken to many people on various lists and can confirm the feeling about usability on the ZMI etc. You call them 'halfwits'. That puts you on rather high ground and this attitude is obviously part of the problem.
1. By complaining about something that a lot of people do not find any problem with, YOU put yourself on a rather high ground compared to the people here who both created and use it.
Suggestion: Don't complain about the software that you want help with, because it makes the people who wrote it pissed off. Quite simple, really.
2. I have myself held courses in how to use a CMS (EasyPublisher) where you did most everything through the ZMI for people with bother very little computer experience and a lot, and it was never a big usebility problem. That the ZMI has big useability problems is simply not true. You also claim that there are lot of people complainng that the ZMI has useability problems. Well, we are on all those mailing-lists, unless you have found some secret mailing lists for people who don't like Zope, so we know that there is in fact NOT a lot of complaints about this. When you claim that there are loads of people who say so, when there obviously isn't undermines your credbility and inclines people to not take you seriously.
Suggestion: Don't make up facts and statements that is not true, don't invent people that doesn't exist. Don't say that X is generally accepted as a fact when it isn't. If you do that, people will call you a liar, and you don't want that.
(Oh, and if you want an explanation about why a few people don't find the ZMI useable, it's because it's not "pretty", don't have flash graphics and such. People often confuse "prettyness" with "useability". ZMI is basic and well, ugly. It is however quite consistent and useable.)
And the same goes for Zopes access control. It is in no way complicated or hard to understand. By starting early in the discussion with complaining about it, you just make people pissed off and get the discussion running away in the wrong direction. Don't do that.
How come Plone's interface is so useable and a delight to work with? How was that financed?
Because it's pretty? :-)
-- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/
-- Michael
Hi Michael, michael nt milne wrote:
Also I feel that Plone has usabillity which sits above it's prettyness. It is a well designed interface graphically but also has very strong non graphical usability elements.
You are correct - but you are not comparing like with like, as Plone is an /application/ and Zope is an /application server/. An analogous comparison might be between a car's dashboard and it's engine compartment - you would expect the dashboard to be designed for a human user above all, but the engine compartment - however logically laid out - is primarily functional and is always going to appear alien to the person who is more comfortable driving than using a spanner. Ultimately, Zope's ZMI user interface is designed for techies who want a minimal user interface which allows them to see the moving parts, not the kind of end-user oriented GUI that Plone sports. You've been given a bit of a hard time in this thread, and I think that some good points have been made, but I've seen your energetic but somewhat misdirected posting as more a symptom of youth and over-confidence than any great sin - you seem to be coping with the feedback, so you'll learn. However, I'd like to make the point that the counter-productive and gratuitous insults for which Chris is rightly famous are another thing entirely. He's a clever bloke and helpful, but he seems to enjoy being rude - which is a shame. FWIW, I think the best advice you've been given, albeit in the midst of quite a strong mail were Floyd's - "the security framework in Zope and Plone was built in the way that it is FOR A REASON" - both in terms of etiquette and in terms of what should be reasonable to assume, it is usually best to assume that the core of Zope and Plone /work/, and that if some part of them appears not to then it is more likely the nut behind the steering wheel that is responsible, as it were. ;-) Have a good weekend... -- Regards, PhilK Email: phil@xfr.co.uk PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518 "You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison
Can we all stop with the public name-calling and personal insults? It's embarassing. -- Paul Winkler http://www.slinkp.com
I agree. I didn't start it and I find it un-professional. I came here with a genuine issue, have received some help which I thank people for and have made some legitimate points. I find the Zope and Plone lists are generally very good and an not interested in slanging matches. Thanks Michael On 2/10/06, Paul Winkler < pw_lists@slinkp.com> wrote:
Can we all stop with the public name-calling and personal insults? It's embarassing.
--
Paul Winkler http://www.slinkp.com _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael
On 2/10/06, michael nt milne <michael.milne@gmail.com> wrote:
I agree. I didn't start it and I find it un-professional. I came here with a genuine issue, have received some help which I thank people for and have made some legitimate points. I find the Zope and Plone lists are generally very good and an not interested in slanging matches.
Thanks
Michael
On 2/10/06, Paul Winkler < pw_lists@slinkp.com> wrote:
Can we all stop with the public name-calling and personal insults? It's embarassing.
--
Paul Winkler http://www.slinkp.com _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
I've resisted the urge to weigh in on this conversation for far too long. Mr. Milne, Your original email to this list was presented in such a way that you guaranteed yourself a difficult time acquiring assistance for the following reasons: 1. It contained a tone indicating something along the lines of "this is broken and you need to fix it because I'm complaining". 2. You made no indication that you had attempted to understand the existing framework. Most people cite or quote existing documentation, e.g. "The zope book says X, but I am experiencing Y" when attempting to sort out a problem. 3. You assume that because you are technically-capable in other realms, your experience with Zope and Plone must be the fault of Zope and Plone, and not the fault of your inexperience with the paradigm differences between the common Apache+RDBMS architectures and the object-oriented Zope/Plone architecture. Zope and Plone are both built by volunteers. Thousands of people worldwide pour their free-time efforts into making these products the best that they can be. Regardless of what you may think, the security framework in Zope and Plone was built in the way that it is FOR A REASON, and that reason is to make the Zope Application Server as powerful as possible in terms of security. If you would have read the Zope book, the Definitive Guide to Plone, or the Zope Developer's Guide, you would have found the following phrase: "Security is hard." Despite the fact that your original email that started this confounded thread was an ignorant insult to the years of time and effort spent making Zope and Plone what they are, faithful patrons of the Zope mailing list attempted to help you. In response, you continued to insult Zope with cretinous comments like:
I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work.
...and...
But ultimately my comments on usabiltity should be taken on board because Zope security is overly complex.
...and indicating your complete unwillingness to conform to simple requests from the people who are attempting to help you for free, in spite of your near-intolerable insults interspersed with vague information detailing what everyone has told you is what Zope *should* do with comments like the following:
Sorry but this is not my experience and I have experimented. Am using gmail basic setting which I like.
It is obvious to the people who have taken the time to understand how Zope's security works that the trouble you are experiencing has one source and one source alone - you don't know what you're doing. Read the documentation, go through the tutorials, and prove that you are able to understand what's happening, then attempt again to set up the security model that you are attempting. Furthermore (and I want you to read this carefully), you would do well to understand that Zope is built by volunteers. Insulting the work of such volunteers, and failing to respect the expertise of those people who caused Zope to be what it is by considering unexpected behaviors bugs that should be fixed just because you say so is a certain way to get hostile reactions. You are a dinner guest in the world of Zope, and you have come into our living room and told us that we should repaint the walls and remodel our kitchen because "it doesn't work for you." The Zope community has made a robust product (regardless of your opinions to the contrary), and your behavior would have been much better-received if you would have kept your opinions about Zope's security (opinions founded in inexperience, I might add) to yourself and considered your own capability for making mistakes before pointing fingers at a worldwide community of software developers. The trouble that you are having with Zope's security is YOUR fault. The complexity of Zope's security features is INTENTIONAL, and will not change, especially not to suit the needs of a disrespectful leech like yourself (and I use the word 'leech' to indicate that you expect it is perfectly fine to take from the Zope community without giving back). Consider these words long and hard before posting again. -- Floyd May Senior Systems Analyst CTLN - CareerTech Learning Network fmay@okcareertech.org
Yes I've apologised for the initial tone which was the wrong way to begin and yes I agree I should have routed out more documentation. I've read Andy Mackay, Plone Live, printed out screeds of how tos, chapters of the Zope book, installed Zope on my Unix server etc so I do have a reasonable, if still not mature, take on the environment. I feel that 'leech' and 'cretinous' are perhaps slightly over the top to be honest though :-) Anyway, yes I feel we should over and out on this thread as it's not too entertaining now, even if it was before :-) Apologies to Zope if he's been offended. On 2/10/06, Floyd May <fmay@okcareertech.org> wrote:
On 2/10/06, michael nt milne <michael.milne@gmail.com> wrote:
I agree. I didn't start it and I find it un-professional. I came here with a genuine issue, have received some help which I thank people for and have made some legitimate points. I find the Zope and Plone lists are generally very good and an not interested in slanging matches.
Thanks
Michael
On 2/10/06, Paul Winkler < pw_lists@slinkp.com> wrote:
Can we all stop with the public name-calling and personal insults? It's embarassing.
--
Paul Winkler http://www.slinkp.com _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
I've resisted the urge to weigh in on this conversation for far too long.
Mr. Milne, Your original email to this list was presented in such a way that you guaranteed yourself a difficult time acquiring assistance for the following reasons: 1. It contained a tone indicating something along the lines of "this is broken and you need to fix it because I'm complaining". 2. You made no indication that you had attempted to understand the existing framework. Most people cite or quote existing documentation, e.g. "The zope book says X, but I am experiencing Y" when attempting to sort out a problem. 3. You assume that because you are technically-capable in other realms, your experience with Zope and Plone must be the fault of Zope and Plone, and not the fault of your inexperience with the paradigm differences between the common Apache+RDBMS architectures and the object-oriented Zope/Plone architecture.
Zope and Plone are both built by volunteers. Thousands of people worldwide pour their free-time efforts into making these products the best that they can be. Regardless of what you may think, the security framework in Zope and Plone was built in the way that it is FOR A REASON, and that reason is to make the Zope Application Server as powerful as possible in terms of security. If you would have read the Zope book, the Definitive Guide to Plone, or the Zope Developer's Guide, you would have found the following phrase: "Security is hard."
Despite the fact that your original email that started this confounded thread was an ignorant insult to the years of time and effort spent making Zope and Plone what they are, faithful patrons of the Zope mailing list attempted to help you. In response, you continued to insult Zope with cretinous comments like:
I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work.
...and...
But ultimately my comments on usabiltity should be taken on board because Zope security is overly complex.
...and indicating your complete unwillingness to conform to simple requests from the people who are attempting to help you for free, in spite of your near-intolerable insults interspersed with vague information detailing what everyone has told you is what Zope *should* do with comments like the following:
Sorry but this is not my experience and I have experimented. Am using gmail basic setting which I like.
It is obvious to the people who have taken the time to understand how Zope's security works that the trouble you are experiencing has one source and one source alone - you don't know what you're doing. Read the documentation, go through the tutorials, and prove that you are able to understand what's happening, then attempt again to set up the security model that you are attempting. Furthermore (and I want you to read this carefully), you would do well to understand that Zope is built by volunteers. Insulting the work of such volunteers, and failing to respect the expertise of those people who caused Zope to be what it is by considering unexpected behaviors bugs that should be fixed just because you say so is a certain way to get hostile reactions.
You are a dinner guest in the world of Zope, and you have come into our living room and told us that we should repaint the walls and remodel our kitchen because "it doesn't work for you." The Zope community has made a robust product (regardless of your opinions to the contrary), and your behavior would have been much better-received if you would have kept your opinions about Zope's security (opinions founded in inexperience, I might add) to yourself and considered your own capability for making mistakes before pointing fingers at a worldwide community of software developers. The trouble that you are having with Zope's security is YOUR fault. The complexity of Zope's security features is INTENTIONAL, and will not change, especially not to suit the needs of a disrespectful leech like yourself (and I use the word 'leech' to indicate that you expect it is perfectly fine to take from the Zope community without giving back).
Consider these words long and hard before posting again.
-- Floyd May Senior Systems Analyst CTLN - CareerTech Learning Network fmay@okcareertech.org _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael
michael nt milne wrote:
Well I said it was over and out but I have to respond to this latest post. I appreciate the help here and will be trying out some of the suggestions. Basically though, Zope permissions and security could be made a lot more usable. It's far too technically focused and this is the opinion of a few others as well. The whole ZMI interface could be put through a usability re-design to be honest and that's not even to comtemplate the security areas.
The ZMI is well known to be geeky. "For developers, by developers" might be its motto. If you have some concrete suggestions, by all means put them forth. Patches are even better. Anyway, ACLs are ACLs. And if you don't know what you're doing, you can get into trouble real fast. Ever tried managing file security on a Windows machine with ACLs? CMF (this includes Plone) provides a way to manage this complexity: workflow states. Each workflow has a set of permissions it manages, and a setting of these for each state. This is much more easily comprehended than infinite fiddling with the ZMI Security tab. Also, as I recall, there was a "private plone site" howto on plone.org; dunno what happened to it. --jcc -- "Building Websites with Plone" http://plonebook.packtpub.com
In the very beginning of my Zope career, I once "shot myself in the foot" with a very stupid thing... I kept it to myself then but if we are talking about Zope security settings and usability of the ZMI at the same time, perhaps it is an ideal place to raise this issue. If you use the famous manage_access page with all the checkboxes to set permissions on an object, it then calls manage_changePermissions to using POST method to apply your settings. The result is that http://your_object_url/manage_changePermissions (without any parameters) stays in your browser visited url history. Now imagine what happens if you click this url by mistake being logged as someone with "Change permissions" permission. I guess changing the form method to GET is not going to be liked by browsers that put additional restrictions on URL length. So I would propose to introduce a basic request sanity check in the manage_changePermissions itself. I cannot think of any use for resetting all permissions and acquisition for everyone, so the easiest way to do that is to simply check that at least something exists in the form: ... def manage_changePermissions(self, REQUEST): """Change all permissions settings, called by management screen. """
if len(REQUEST.form)<2: raise ... self._isBeingUsedAsAMethod(REQUEST, 0) valid_roles=self.valid_roles() indexes=range(len(valid_roles)) have=REQUEST.has_key permissions=self.ac_inherited_permissions(1) fails = [] ...
or something like that. J Cameron Cooper wrote:
michael nt milne wrote:
Well I said it was over and out but I have to respond to this latest post. I appreciate the help here and will be trying out some of the suggestions. Basically though, Zope permissions and security could be made a lot more usable. It's far too technically focused and this is the opinion of a few others as well. The whole ZMI interface could be put through a usability re-design to be honest and that's not even to comtemplate the security areas.
The ZMI is well known to be geeky. "For developers, by developers" might be its motto. If you have some concrete suggestions, by all means put them forth. Patches are even better.
Anyway, ACLs are ACLs. And if you don't know what you're doing, you can get into trouble real fast. Ever tried managing file security on a Windows machine with ACLs?
CMF (this includes Plone) provides a way to manage this complexity: workflow states. Each workflow has a set of permissions it manages, and a setting of these for each state. This is much more easily comprehended than infinite fiddling with the ZMI Security tab.
Also, as I recall, there was a "private plone site" howto on plone.org; dunno what happened to it.
--jcc
Michael Vartanyan wrote:
In the very beginning of my Zope career, I once "shot myself in the foot" with a very stupid thing... I kept it to myself then but if we are talking about Zope security settings and usability of the ZMI at the same time, perhaps it is an ideal place to raise this issue.
If you use the famous manage_access page with all the checkboxes to set permissions on an object, it then calls manage_changePermissions to using POST method to apply your settings. The result is that http://your_object_url/manage_changePermissions (without any parameters) stays in your browser visited url history. Now imagine what happens if you click this url by mistake being logged as someone with "Change permissions" permission.
I guess changing the form method to GET is not going to be liked by browsers that put additional restrictions on URL length. So I would propose to introduce a basic request sanity check in the manage_changePermissions itself. I cannot think of any use for resetting all permissions and acquisition for everyone, so the easiest way to do that is to simply check that at least something exists in the form:
... def manage_changePermissions(self, REQUEST): """Change all permissions settings, called by management screen. """
if len(REQUEST.form)<2: raise ... self._isBeingUsedAsAMethod(REQUEST, 0) valid_roles=self.valid_roles() indexes=range(len(valid_roles)) have=REQUEST.has_key permissions=self.ac_inherited_permissions(1) fails = [] ...
or something like that.
Actually the proper way to do it, and for exactly the reasons you outlined above, is to always do a redirect to a "result page" url after a POST that has side effects. It's even mandated by the HTTP/HTML specs. Florent -- Florent Guillaume, Nuxeo (Paris, France) Director of R&D +33 1 40 33 71 59 http://nuxeo.com fg@nuxeo.com
I agree. A little bit of a problem is that both Zope 2 Book and the ZMI do not seem to agree. I guess was/is not the practice that Zope 2 developers endorsed/followed. But "Zope2 is beyond help" (C) Chris M., (taken out of context by me :-)) Florent Guillaume wrote:
Michael Vartanyan wrote:
I guess changing the form method to GET is not going to be liked by browsers that put additional restrictions on URL length. So I would propose to introduce a basic request sanity check in the manage_changePermissions itself. I cannot think of any use for resetting all permissions and acquisition for everyone, so the easiest way to do that is to simply check that at least something exists in the form:
Actually the proper way to do it, and for exactly the reasons you outlined above, is to always do a redirect to a "result page" url after a POST that has side effects. It's even mandated by the HTTP/HTML specs.
Florent
Hi, J Cameron Cooper wrote:
Also, as I recall, there was a "private plone site" howto on plone.org; dunno what happened to it.
It's still there, still works - and is very likely what Michael wants. -- Regards, PhilK Email: phil@xfr.co.uk PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518 "You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison
Hi Again, Re. "Private Plone Site" Howto Philip Kilner wrote:
It's still there, still works - and is very likely what Michael wants.
I'm an idiot - should have checked, knowing that there was a documentation sprint last weekend. It was at: - http://plone.org/documentation/how-to/creating-private-plone-site/howto_view ...but I get a login prompt at that URL now. Has this how to been pulled because flawed, or is it just missing? I've used it in numerous places, so I'd be interested to know either way! -- Regards, PhilK Email: phil@xfr.co.uk PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518 "You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison
Yes I found that as well but picked it up from the Google cache. Strange that it is available there as it's password protected. Possibly it was public before? On 2/11/06, Philip Kilner <phil@xfr.co.uk> wrote:
Hi Again,
Re. "Private Plone Site" Howto
Philip Kilner wrote:
It's still there, still works - and is very likely what Michael wants.
I'm an idiot - should have checked, knowing that there was a documentation sprint last weekend. It was at: -
http://plone.org/documentation/how-to/creating-private-plone-site/howto_view
...but I get a login prompt at that URL now.
Has this how to been pulled because flawed, or is it just missing?
I've used it in numerous places, so I'd be interested to know either way!
--
Regards,
PhilK
Email: phil@xfr.co.uk PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518
"You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison
-- Michael
Hi Michael, michael nt milne wrote:
Yes I found that as well but picked it up from the Google cache. Strange that it is available there as it's password protected. Possibly it was public before?
Yes, it was public before. Have you tried this, and does it solve your problems? JCC is spot on when he points to workflow as being the basis of security in Plone - it's also worth saying that the Zope system and the Plone system are pretty much at odds with one another. You are more likely to make mistakes at the Zope level than to do what you intend. (If you try the "howto", don't overlook that last step - hitting the "update security settings" button. Managed to overlook this myself recently (despite it being the umpteenth time I've followed this howto), and spent hours thinking that something more exotic was going on!) Let us know how you get on... -- Regards, PhilK Email: phil@xfr.co.uk PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518 "You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison
Hi Phil I've implemented what's outlined in the make private site documentation and it works fine on Plone 2.1.1. No content is available apart from the site-map page (doesn't list content) and the contact form but I can figure that out separately. Yes I think I like the HTML login page way to authenticate. It feels more usable. And I don't think I'll use an Apache login box at all. Most users will find it hard remembering one password and with cookie authentication over SSL you can go straight into the site. Brilliant. I'm revisting some of the points made in this thread though about security. It does seem that Zope and Plone as you say, are at odds on this. Thanks alot for your help and words of advice. I still seem to have an issue where editing a page in IE over SSL produces a 'can't find server' but it's a browser issue as this works fine on the latest Firefox. Michael On 2/11/06, Philip Kilner <phil@xfr.co.uk> wrote:
Hi Michael,
michael nt milne wrote:
Yes I found that as well but picked it up from the Google cache. Strange that it is available there as it's password protected. Possibly it was public before?
Yes, it was public before.
Have you tried this, and does it solve your problems?
JCC is spot on when he points to workflow as being the basis of security in Plone - it's also worth saying that the Zope system and the Plone system are pretty much at odds with one another. You are more likely to make mistakes at the Zope level than to do what you intend.
(If you try the "howto", don't overlook that last step - hitting the "update security settings" button. Managed to overlook this myself recently (despite it being the umpteenth time I've followed this howto), and spent hours thinking that something more exotic was going on!)
Let us know how you get on...
--
Regards,
PhilK
Email: phil@xfr.co.uk PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518
"You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison
-- Michael
Hi Michael, michael nt milne wrote:
I've implemented what's outlined in the make private site documentation and it works fine on Plone 2.1.1. No content is available apart from the site-map page (doesn't list content) and the contact form but I can figure that out separately.
Since neither of those counts as "content" as such, I think that that is legitimate and as you say, you can work around those if it matters to you (In cases where I've wanted to work around such things, I've simply called a script that redirects with an error message if the the appropriate conditions aren't met.
Yes I think I like the HTML login page way to authenticate. It feels more usable. And I don't think I'll use an Apache login box at all. Most users will find it hard remembering one password and with cookie authentication over SSL you can go straight into the site. Brilliant.
Agreed. Apache does a great job of managing the SSL, securing the data over public wires, but that's a 100% generic task whereas the authentication is tightly bound to your application. It's worth bearing in mind that those credentials are passed over the wire with every page, so you need your sessions to /stay/ in SSL mode once authenticated.
I'm revisting some of the points made in this thread though about security. It does seem that Zope and Plone as you say, are at odds on this.
Because Zope is an application server, it has to expose it's mechanism - Plone has an easier job because it has a specific task to do (e.g. manage content), and so can take an approach which is much simpler to fly. In Plone, always do things the Plone way - working at the Zope level may potentially subvert Plone's mechanisms for achieving things. -- Regards, PhilK Email: phil@xfr.co.uk PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518 "You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison
Thanks "It's worth bearing in mind that those credentials are passed over the wire with every page, so you need your sessions to /stay/ in SSL mode once authenticated." Yes, I've got the whole site going over SSL and the :8080 port re-directing to SSL. However on my main server where I have other sites I was thinking about implementing SSL for the login areas to make them fully secure. From what you are saying though you'd basically need to make a whole site go over SSL and just implementing that on the login areas isn't worth it? I still have an issue with IE6 over SSL where trying to create new pages or edit content, produces a server not found and the padlock dissapears. I have TLS 1.0 and SSL 2.3, 3.0 selected in advanced. IE 6.02. Firefox 1.5(predictably..) works fine but I don't want to have to get all my users to install it even though I'd like to :-) On 2/11/06, Philip Kilner <phil@xfr.co.uk> wrote:
Hi Michael,
michael nt milne wrote:
I've implemented what's outlined in the make private site documentation and it works fine on Plone 2.1.1. No content is available apart from the site-map page (doesn't list content) and the contact form but I can figure that out separately.
Since neither of those counts as "content" as such, I think that that is legitimate and as you say, you can work around those if it matters to you (In cases where I've wanted to work around such things, I've simply called a script that redirects with an error message if the the appropriate conditions aren't met.
Yes I think I like the HTML login page way to authenticate. It feels more usable. And I don't think I'll use an Apache login box at all. Most users will find it hard remembering one password and with cookie authentication over SSL you can go straight into the site. Brilliant.
Agreed. Apache does a great job of managing the SSL, securing the data over public wires, but that's a 100% generic task whereas the authentication is tightly bound to your application.
It's worth bearing in mind that those credentials are passed over the wire with every page, so you need your sessions to /stay/ in SSL mode once authenticated.
I'm revisting some of the points made in this thread though about security. It does seem that Zope and Plone as you say, are at odds on this.
Because Zope is an application server, it has to expose it's mechanism - Plone has an easier job because it has a specific task to do (e.g. manage content), and so can take an approach which is much simpler to fly. In Plone, always do things the Plone way - working at the Zope level may potentially subvert Plone's mechanisms for achieving things.
--
Regards,
PhilK
Email: phil@xfr.co.uk PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518
"You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison
-- Michael
michael nt milne wrote:
Yes, I've got the whole site going over SSL and the :8080 port re-directing to SSL.
Anything not over SSL should be blocked, not redirected, given your earlier paranoia...
However on my main server where I have other sites I was thinking about implementing SSL for the login areas to make them fully secure. From what you are saying though you'd basically need to make a whole site go over SSL and just implementing that on the login areas isn't worth it?
Correct. Also, don't turn SSL into a panacea. Security is hard. Very hard. I'm not sure you understand that yet...
I still have an issue with IE6 over SSL where trying to create new pages or edit content, produces a server not found and the padlock dissapears.
Look at where the form action points to, I suspect you haven't correctly configured your virtual hosting stuff in Apache and/or Zope. cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache <location> based login. I do realise that leaving a logon cookie is insecure and that comment was perhaps misguided. I started to think about usability etc. I'm going to block 8080 at the router/firewall level as Zope obviously needs to keep serving through 8080 to Apache. As for the issue with IE6 and editing pages over SSL it all works fine in Firefox 1.5, so it's a browser issue which I just can't quite fathom just now. Annoying as all the users are on IE. Unless I use that as an excuse for them all to get a better browser.. Thanks for the comments Michael On 2/12/06, Chris Withers <chris@simplistix.co.uk> wrote:
michael nt milne wrote:
Yes, I've got the whole site going over SSL and the :8080 port re-directing to SSL.
Anything not over SSL should be blocked, not redirected, given your earlier paranoia...
However on my main server where I have other sites I was thinking about implementing SSL for the login areas to make them fully secure. From what you are saying though you'd basically need to make a whole site go over SSL and just implementing that on the login areas isn't worth it?
Correct. Also, don't turn SSL into a panacea. Security is hard. Very hard. I'm not sure you understand that yet...
I still have an issue with IE6 over SSL where trying to create new pages or edit content, produces a server not found and the padlock dissapears.
Look at where the form action points to, I suspect you haven't correctly configured your virtual hosting stuff in Apache and/or Zope.
cheers,
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
-- Michael
michael nt milne wrote:
Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache <location> based login.
Huh? I'm sure some people would love to know how those two things relate in your head...
I do realise that leaving a logon cookie is insecure and that comment was perhaps misguided. I started to think about usability etc.
If you're lucky, you might get a system that's both insecure _and_ unusable ;-)
I'm going to block 8080 at the router/firewall level as Zope obviously needs to keep serving through 8080 to Apache.
using iptables in the box is probably a better idea...
As for the issue with IE6 and editing pages over SSL it all works fine in Firefox 1.5, so it's a browser issue which I just can't quite fathom just now.
I doubt it, my guess would still be that you're doing something wrong somewhere... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
michael nt milne wrote:
Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache <location> based login. I do realise that leaving a logon cookie is insecure and that comment was perhaps misguided. I started to think about usability etc.
I'm going to block 8080 at the router/firewall level as Zope obviously needs to keep serving through 8080 to Apache.
No need to do that, just configure your zope (etc/zope.conf) to listen only on your loopback interface: <http-server> address 127.0.0.1:8080 </http-server> An btw, Zope doesn't *need* to serve on 8080... HTH, Igor
Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache <location> based login.
Huh? I'm sure some people would love to know how those two things relate in your head...
I wanted to use an Apache served login box before the Zope/Plone site is served but I've decided against that now as authentication should be closely linked to the application. Also Apache <location> based authentication isn't cookie based. Now going with Zope/Plone auth over SSL alone with cookies set to expire.
I do realise that leaving a logon cookie is insecure and that comment was perhaps misguided. I started to think about usability etc.
If you're lucky, you might get a system that's both insecure _and_ unusable ;-)
My aim is security with a good level of usability and I'll achieve that :-)
I'm going to block 8080 at the router/firewall level as Zope obviously needs to keep serving through 8080 to Apache.
using iptables in the box is probably a better idea...
thanks for the advice but I'll probably go with router level
As for the issue with IE6 and editing pages over SSL it all works fine in Firefox 1.5, so it's a browser issue which I just can't quite fathom just now.
I doubt it, my guess would still be that you're doing something wrong somewhere...
Sorry but I don't agree on this one. I haven't altered any of the Plone 'edit page' functionality. It's out of the box. Works fine without SSL but on SSL trying to edit a page causes 'can't find server'. Firefox though works perfectly viewing and editing so it's a browser issue. I know of other people who have issues with IE and posting images over SSL. Must be something to do with POST security over IE. I'm going to take it up with them but don't expect too much of a response. I'm now about to try with Opera.
On 2/14/06, Igor Stroh <igor@rulim.de> wrote:
michael nt milne wrote:
Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache <location> based login. I do realise that leaving a logon cookie is insecure and that comment was perhaps misguided. I started to think about usability etc.
I'm going to block 8080 at the router/firewall level as Zope obviously needs to keep serving through 8080 to Apache.
No need to do that, just configure your zope (etc/zope.conf) to listen only on your loopback interface:
<http-server> address 127.0.0.1:8080 </http-server>
An btw, Zope doesn't *need* to serve on 8080...
HTH, Igor _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael
michael nt milne said the following on 2006-02-14 12:30:
As for the issue with IE6 and editing pages over SSL it all works fine in Firefox 1.5, so it's a browser issue which I just can't quite fathom just now.
I doubt it, my guess would still be that you're doing something wrong somewhere...
Sorry but I don't agree on this one. I haven't altered any of the Plone 'edit page' functionality. It's out of the box. Works fine without SSL but on SSL trying to edit a page causes 'can't find server'. Firefox though works perfectly viewing and editing so it's a browser issue. I know of other people who have issues with IE and posting images over SSL. Must be something to do with POST security over IE. I'm going to take it up with them but don't expect too much of a response. I'm now about to try with Opera.
This part is *only* about setting up the servers, apache and zope in this context, properly. There is nothing in Zope that works differently when serving over ssl or not. SSL is just a transport layer, so it does *not* affect zope-capabilities in any way. I am sure you know this, but since we have learned very little (or at least I have - maybe I am not paying attention well enough :-): *HOWEVER*, IIRC, plone, especially on windows (if installed with the windows installer) uses a trick, which is not documented at all, as far as I know, uses a Site Access rule. Have you modified that rule to take advantage of the SSL -server? Perhaps the SiteAccess rule is triggering adn trying to redirect you to an address/port where there is no service listeing? /dario -- -- ------------------------------------------------------------------- Dario Lopez-Kästen, IT Systems & Services Chalmers University of Tech. Lyrics applied to programming & application design: "emancipate yourself from mental slavery" - redemption song, b. marley
On Tue, 14 Feb 2006 04:59:07 -0800, Dario Lopez-Kästen <dario@ita.chalmers.se> wrote:
*HOWEVER*, IIRC, plone, especially on windows (if installed with the windows installer) uses a trick, which is not documented at all, as far as I know, uses a Site Access rule.
http://plone.org/documentation/faq/multiple-sites-installers What part is not documented at all? :) -- _____________________________________________________________________ Alexander Limi · Chief Architect · Plone Solutions · Norway Consulting · Training · Development · http://www.plonesolutions.com _____________________________________________________________________ Plone Co-Founder · http://plone.org · Connecting Content Plone Foundation · http://plone.org/foundation · Protecting Plone
Alexander Limi said the following on 2006-02-14 14:05:
On Tue, 14 Feb 2006 04:59:07 -0800, Dario Lopez-Kästen <dario-tTo+xxYJ+kmv1QaEFLkzfg@public.gmane.org> wrote:
*HOWEVER*, IIRC, plone, especially on windows (if installed with the windows installer) uses a trick, which is not documented at all, as far as I know, uses a Site Access rule.
http://plone.org/documentation/faq/multiple-sites-installers
What part is not documented at all? :)
ähh... woopsy-daisy! my mistake. Sorry! 8^) /dario - crawls back under a rock... ;) -- -- ------------------------------------------------------------------- Dario Lopez-Kästen, IT Systems & Services Chalmers University of Tech. Lyrics applied to programming & application design: "emancipate yourself from mental slavery" - redemption song, b. marley
I am sure you know this, but since we have learned very little (or at least I have - maybe I am not paying attention well enough :-):
Have you modified that rule to take advantage of the SSL -server? Perhaps the SiteAccess rule is triggering adn trying to redirect you to an address/port where there is no service listeing?
No I haven't modified anything apart from upgrading Apache, installing and configuring SSL, doing VirtualHost rules and then locking down Plone using the 'private site' documentation. Why would Firefox 1.5.1 work perfectly and be able to edit pages and upload images? As I've said I know of more issues with IE and posting attachments through a private contact on this list. Doesn'ts seem like a coincidence to me. At least you've learned that :-) On 2/14/06, Dario Lopez-Kästen <dario@ita.chalmers.se> wrote:
Alexander Limi said the following on 2006-02-14 14:05:
On Tue, 14 Feb 2006 04:59:07 -0800, Dario Lopez-Kästen <dario-tTo+xxYJ+kmv1QaEFLkzfg@public.gmane.org> wrote:
*HOWEVER*, IIRC, plone, especially on windows (if installed with the windows installer) uses a trick, which is not documented at all, as far as I know, uses a Site Access rule.
http://plone.org/documentation/faq/multiple-sites-installers
What part is not documented at all? :)
ähh... woopsy-daisy! my mistake. Sorry! 8^)
/dario - crawls back under a rock... ;)
-- -- ------------------------------------------------------------------- Dario Lopez-Kästen, IT Systems & Services Chalmers University of Tech. Lyrics applied to programming & application design: "emancipate yourself from mental slavery" - redemption song, b. marley
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael
Alexander Limi wrote:
On Tue, 14 Feb 2006 04:59:07 -0800, Dario Lopez-Kästen <dario@ita.chalmers.se> wrote:
*HOWEVER*, IIRC, plone, especially on windows (if installed with the windows installer) uses a trick, which is not documented at all, as far as I know, uses a Site Access rule.
http://plone.org/documentation/faq/multiple-sites-installers
What part is not documented at all? :)
*sigh* If it uses an Access Rule, it's likely still a dirty trick that will confuse retards like Michael, I'd suggest removing it... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Chris, back to throwing personal insults eh. I'll refrain from going down that line as it's tedious and un-professional. You've obviously not listened to the advice of your fellow peers on that front. Everyone can take on a little advice and I've remarked previously that I was wrong in my initial approach with this post which has now blown out of all proportion and is to be honest a bit of a joke. Security is hard and I'm getting my head round it. I'm also newish to Zope and Plone and feel I've progressed pretty well in about 6 months considering I do a full-time job too. It is a steep learning curve and the more people that persevere with it the better. Whilst I find the Zope and Plone lists generally fantastic. They're the best user based lists I have experienced. However they're not helped by the attitude displayed by you, Chris and your inability to refrain from 'gratuitous insults'. That's just going to turn people away and harm the cause of Zope. To answer some of your points:
I hope you're making sure the "secure" bit is set on those cookies ;-)
I take it this is a joke. Plone uses cookie authentication by default. You can't log in with out that. There are security risks there but good user education with a strong password policy, no use of 'save password' facilities and SSL is a start at least.
Considering you can't even quote a response correctly, I somehow doubt that..
Oh come on.
Fine, don't take our advice, but don't expect help either.
What because I don't take all your advice? That's a bit elitist and also not good for growing the user base of Zope.
Sheesh, sorry, but I've come to the conclusion you're just trolling and so won't be wasting my time with any more of your posts...
Well you're wrong on that one as well. You're probably just not suited to helping out newer users. I wouldn't suggest customer service as a second career..:-) And to finish on my problem with IE over SSL, I'll be implementing the help found here. It's recognised that there are problems and bugs in IE over SSL: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html "The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction between SSL and HTTP/1.1 features are problematic in some MSIE versions. You can work around these problems by forcing Apache not to use HTTP/1.1, keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Further, some MSIE versions have problems with particular ciphers. Unfortunately, it is not possible to implement a MSIE-specific workaround for this, because the ciphers are needed as early as the SSL handshake phase. So a MSIE-specific SetEnvIf won't solve these problems. Instead, you will have to make more drastic adjustments to the global parameters. Before you decide to do this, make sure your clients really have problems. If not, do not make these changes - they will affect all your clients, MSIE or otherwise." On 2/14/06, Chris Withers <chris@simplistix.co.uk> wrote:
Alexander Limi wrote:
On Tue, 14 Feb 2006 04:59:07 -0800, Dario Lopez-Kästen <dario@ita.chalmers.se> wrote:
*HOWEVER*, IIRC, plone, especially on windows (if installed with the windows installer) uses a trick, which is not documented at all, as far as I know, uses a Site Access rule.
http://plone.org/documentation/faq/multiple-sites-installers
What part is not documented at all? :)
*sigh*
If it uses an Access Rule, it's likely still a dirty trick that will confuse retards like Michael, I'd suggest removing it...
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael
michael nt milne wrote:
Chris, back to throwing personal insults eh.
It's not so much an insult as a statement of fact. Retarded means "slower", and given how slow you seem to be to "get" the stuff we're discussing, I think the shoe fits. Not necessarily meant as an insult, but if you want to take it as such, so be it...
refrain from 'gratuitous insults'. That's just going to turn people away and harm the cause of Zope.
Some people this community could do without. I have no doubt that you'd argue that I am one of those people. I, of course, feel the same about you ;-)
I hope you're making sure the "secure" bit is set on those cookies ;-)
I take it this is a joke.
Okay, so you don't want to bother reading specs eithers. Great. Go read up on the cookie spec, find out what the secure bit of a cookie does...
Plone uses cookie authentication by default.
And Plohn is hideously insecure by default, what's your point?
You can't log in with out that.
Sure you can, chuck ?disable_cookie_auth__=1 on the end of a url that's not anonymously accessible...
There are security risks there but good user education with a strong password policy, no use of 'save password' facilities and SSL is a start at least.
Good luck, you're gonna need it...
Considering you can't even quote a response correctly, I somehow doubt that..
Oh come on.
What? You're mail client put >>> in front of your previous post, which is faulty for the majority of mail clients used by people on this list. Fix it.
Fine, don't take our advice, but don't expect help either.
What because I don't take all your advice? That's a bit elitist and also not good for growing the user base of Zope.
You don't take anyone's advice on this list without bitching and whining about it...
And to finish on my problem with IE over SSL, I'll be implementing the help found here. It's recognised that there are problems and bugs in IE over SSL:
Your problem will undoubtedly be that access_rule put in by the Plohn installer. Remove it, and I'll bet your problems go away. But hey, what do I know?
MSIE versions. You can work around these problems by forcing Apache not to use HTTP/1.1, keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section
So, have you actually followed this advice? What difference has it made? *sigh* Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
sorry Chris but if I was 'retarded' as you indeed claim I wouldn't have been able to achieve so much with Plone and Zope over the last 6 months. I've gone from zero knowledge of the plaftorms to installing Zope, and Plone on a Unix box from source (not easy and required a alot of perseverance), setting up development, production and staging instances, setting up VirtualHosting and a number of live production sites on the platform. Also I've done all that on a windows box using Apache which is also running IIS (not easy to work with). I've then installed SSL with virtual hosts. I'm still learning obviously, but am happy with progress to date and I've taken lots of advice. I've made mistakes sure but who doesn't. I've also been very vocal in my praise of the platform and how powerful it is to many people in my sphere. If you feel you would be better of without people who fit my profile then you're cutting your own throat. And anyway 'retarded' is not so much 'statement of fact' as use of 'emotive language'. Anyway I thought you weren't replying to any more of my posts? You lie. I'm a troll remember.
MSIE versions. You can work around these problems by forcing Apache not to use HTTP/1.1, keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section
So, have you actually followed this advice? What difference has it made? *sigh*
No I haven't as yet. Too busy elsewhere. I will try the access rule on Plone first and then go for the IE rules in Apache. I'll get there in the end. As I say there's another guy on the Plone list who can't post images over SSL with IE so I'm speaking to him as well.
Michael On 2/15/06, Chris Withers <chris@simplistix.co.uk> wrote:
michael nt milne wrote:
Chris, back to throwing personal insults eh.
It's not so much an insult as a statement of fact. Retarded means "slower", and given how slow you seem to be to "get" the stuff we're discussing, I think the shoe fits. Not necessarily meant as an insult, but if you want to take it as such, so be it...
refrain from 'gratuitous insults'. That's just going to turn people away and harm the cause of Zope.
Some people this community could do without. I have no doubt that you'd argue that I am one of those people. I, of course, feel the same about you ;-)
I hope you're making sure the "secure" bit is set on those cookies ;-)
I take it this is a joke.
Okay, so you don't want to bother reading specs eithers. Great. Go read up on the cookie spec, find out what the secure bit of a cookie does...
Plone uses cookie authentication by default.
And Plohn is hideously insecure by default, what's your point?
You can't log in with out that.
Sure you can, chuck ?disable_cookie_auth__=1 on the end of a url that's not anonymously accessible...
There are security risks there but good user education with a strong password policy, no use of 'save password' facilities and SSL is a start at least.
Good luck, you're gonna need it...
Considering you can't even quote a response correctly, I somehow doubt that..
Oh come on.
What? You're mail client put >>> in front of your previous post, which is faulty for the majority of mail clients used by people on this list. Fix it.
Fine, don't take our advice, but don't expect help either.
What because I don't take all your advice? That's a bit elitist and also not good for growing the user base of Zope.
You don't take anyone's advice on this list without bitching and whining about it...
And to finish on my problem with IE over SSL, I'll be implementing the help found here. It's recognised that there are problems and bugs in IE over SSL:
Your problem will undoubtedly be that access_rule put in by the Plohn installer. Remove it, and I'll bet your problems go away. But hey, what do I know?
MSIE versions. You can work around these problems by forcing Apache not to use HTTP/1.1, keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section
So, have you actually followed this advice? What difference has it made?
*sigh*
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
-- Michael
It's been said a million times in a million different ways, so let's tick that counter one more time and make it a million and one: DON'T FEED THE TROLLS. http://img18.photobucket.com/albums/v55/krazykit/2004-03-22_104550_troll.gif -- Floyd May Senior Systems Analyst CTLN - CareerTech Learning Network fmay@okcareertech.org
yeah, take his advice Chris :-) On 2/16/06, Floyd May <fmay@okcareertech.org> wrote:
It's been said a million times in a million different ways, so let's tick that counter one more time and make it a million and one:
DON'T FEED THE TROLLS.
http://img18.photobucket.com/albums/v55/krazykit/2004-03-22_104550_troll.gif
-- Floyd May Senior Systems Analyst CTLN - CareerTech Learning Network fmay@okcareertech.org _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael
On 2/16/06, michael nt milne <michael.milne@gmail.com> wrote:
yeah, take his advice Chris :-)
On 2/16/06, Floyd May <fmay@okcareertech.org> wrote:
It's been said a million times in a million different ways, so let's tick that counter one more time and make it a million and one:
DON'T FEED THE TROLLS.
http://img18.photobucket.com/albums/v55/krazykit/2004-03-22_104550_troll.gif
-- Floyd May Senior Systems Analyst CTLN - CareerTech Learning Network fmay@okcareertech.org _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Michael's response reminds me of being a teenager in a small town. There was a man there that owned a junkyard. Rather than attempt to maintain weed control with herbicides or a weedeater, the man bought a goat. The goat began eating weeds and making a wonderful dent in the overgrown areas of the junkyard, giving the man more space for his business. Furthermore, the goat became somewhat of a mascot, and customers would bring a carrot or a handful of veggies to feed the goat whenever they visited the junkyard. The goat was friendly, and would greet customers, happily bleating and begging for treats. The goat's horns, however, had a tendency to scratch the paint of their vehicles, so the junkyard owner wrapped the goat's horns in duct tape. This worked wonderfully, until the junkyard owner bought another goat to clean up a newly-acquired adjacent plot of land -- the goats ate the duct tape from each others' horns. Goats, like trolls, will eat almost anything. -- Floyd May Senior Systems Analyst CTLN - CareerTech Learning Network fmay@okcareertech.org
michael nt milne wrote:
cookie based. Now going with Zope/Plone auth over SSL alone with cookies set to expire.
I hope you're making sure the "secure" bit is set on those cookies ;-)
My aim is security with a good level of usability and I'll achieve that :-)
Considering you can't even quote a response correctly, I somehow doubt that...
I'm going to block 8080 at the router/firewall level as Zope obviously needs to keep serving through 8080 to Apache.
using iptables in the box is probably a better idea...
thanks for the advice but I'll probably go with router level
Fine, don't take our advice, but don't expect help either...
works perfectly viewing and editing so it's a browser issue. I know of other people who have issues with IE and posting images over SSL. Must be something to do with POST security over IE. I'm going to take it up with them but don't expect too much of a response. I'm now about to try with Opera.
Sheesh, sorry, but I've come to the conclusion you're just trolling and so won't be wasting my time with any more of your posts... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
michael nt milne wrote:
Yes I think I like the HTML login page way to authenticate. It feels more usable. And I don't think I'll use an Apache login box at all. Most users will find it hard remembering one password and with cookie authentication over SSL you can go straight into the site. Brilliant.
Given your earlier paranoia about security, this a truly bizarre paragraph; you're so worried about basic auth that you didn't want to use it, and yet you're quite happy to have a cookie living on a user's machine long term, and still leave port 8080 exposed? wow... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Chris Withers said the following on 2006-02-12 15:27:
Given your earlier paranoia about security
uh, us security nerds^H^H^H^H^H^H folks-who-have-an-strong-interest-in-security, actually prefer to call it "eagerness". "Paranoia" has such negative timbre, don't you think? :-) Nevertheless, it is not simple to implement proper security with cookie-based logins. I had to make my own hacked version of SinmpleUserFodler with seesioning on the zeo server to get it secure enough (it is actually a trade off from what I would have liked to have in the first place, but it works ok). Cheers, /dario -- -- ------------------------------------------------------------------- Dario Lopez-Kästen, IT Systems & Services Chalmers University of Tech. Lyrics applied to programming & application design: "emancipate yourself from mental slavery" - redemption song, b. marley
Dario Lopez-Kästen wrote:
Nevertheless, it is not simple to implement proper security with cookie-based logins. I had to make my own hacked version of SinmpleUserFodler with seesioning on the zeo server to get it secure enough (it is actually a trade off from what I would have liked to have in the first place, but it works ok).
I know from personal experience that using sessions for this kind of information doesn't necessarilly scale very well... check for conflict errors in your event log ;-) cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
On 2/9/06, michael nt milne <michael.milne@gmail.com> wrote:
Over and out on this one from me and thanks for all your help.... Sorry but SSL over virtual hosts *is* more involved that setting up a basic password protect
My 2 cents on this thread: I've seen (ok, I've done, long ago) the following as a newbie when it comes to security - start checking and unchecking boxes in the security screens trying to get things to work how I want them to, get partially there, change another setting, now what used to work doesn't, now can't recall how to get back to working settings, and everything is botched. Before blaming Zope/Plone and its security, and calling it insecure or a nightmare, consider this: many of us have for years set up Zope and Plone sites with a mixture of anonymous and authentication-required areas, or totally locked down sites, using various user folders and authentication methods, and done so successfully. I don't say this to be snide - I have trained others on Zope and seen similar frustration from people when they rush in and start clicking things, or go on wild goose chases when something like browser cache may be producing the symptoms instead of a flaw with security. Careful, methodical debugging is required, and you must rule out external (non-Zope) causes. Others have pointed out that a default Plone site should not prompt you with a pop-up box (browser Basic Auth challenge) when requesting protected content. Plone and CMF sites use a login web form out of the box. Actually, from your initial post it's hard for me to tell what's going on - I can't tell whether you're trying to hit the site from perspective of a normal user, or through the ZMI you are clicking the View tab of the Plone site object. When reporting problems, it helps to clearly list your steps that produced the error. Maybe you thought you did. I'll agree that Zope security can be complex. ANY web application that features content that is available to some users, and not to others, especially when dealing with Users with Role A can view x and y, but not z, and can edit x, but not y and z, is going to be complex. Zope actually gives you a convenient way of setting that up, but the convenience also gives you a great way to shoot yourself in the foot. OT: I also use gmail because it's better IMO than any of my other options at work, and I hope I have the settings to the liking of the list (no HTML, etc). List, let me know if otherwise! Robert
michael nt milne <michael.milne@...> writes:
HiI have major problems here trying to set-up authentication over a whole Plone site using Zope.
I'm not going to get involved in the large Zope security discussion but I will post an additional something to plone-users in reply to the more narrow problem. If you want additional help with it there, we'll need more details and debugging from you. I usually like to help folks figure out bugs because it's a nice problem solving stint, but I can't do much without more info. Peace, George
Scratch that, looking more closely at the thread it looks like you followed the "make site private" documentation and it worked. Peace, George
participants (20)
-
Alexander Limi -
Andreas Pakulat -
Chris Withers -
Dario Lopez-Kästen -
Dieter Maurer -
Florent Guillaume -
Floyd May -
George Lee -
Igor Stroh -
J Cameron Cooper -
Jens Vagelpohl -
Lennart Regebro -
Mark Barratt -
michael nt milne -
Michael Vartanyan -
Norbert Marrale -
Paul Winkler -
Philip Kilner -
Robert Boyd -
Tino Wildenhain