Is it possible to extend Zopes WebDAV authentication?
Hello! I'd like a little help, please :) I have a site that uses PluggableUserFolders for its acl_users. The web-based portion of the login process locks out a user after 3 unsuccessfull attempts at the password and i'd like to be able to do something similar for users who try to connect via WebDAV. I'm sure something like this should be possible but am uncertain where to begin. Is it possible to override the authentication methods used by WebDAV? If so what are those methods? I'd be grateful for any help and insight into this problem! Many thanks, Mark
mark hellewell wrote at 2005-5-6 14:44 +0100:
I have a site that uses PluggableUserFolders for its acl_users. The web-based portion of the login process locks out a user after 3 unsuccessfull attempts at the password and i'd like to be able to do something similar for users who try to connect via WebDAV. I'm sure something like this should be possible but am uncertain where to begin. Is it possible to override the authentication methods used by WebDAV?
WebDAV uses "basic HTTP authentication" which should use whatever UserFolder you have installed. -- Dieter
On 5/6/05, Dieter Maurer <dieter@handshake.de> wrote:
WebDAV uses "basic HTTP authentication" which should use whatever UserFolder you have installed.
Thanks.. So, I think I should be able to modify the authentication plugin of PUF so that each time a user makes a bad login attempt (either via WebDAV or the login form) it increments the "bad login" counter? Sounds like a plan, anyway :) Mark
-- Dieter
Am Freitag, den 06.05.2005, 19:26 +0100 schrieb mark hellewell:
On 5/6/05, Dieter Maurer <dieter@handshake.de> wrote:
WebDAV uses "basic HTTP authentication" which should use whatever UserFolder you have installed.
Thanks.. So, I think I should be able to modify the authentication plugin of PUF so that each time a user makes a bad login attempt (either via WebDAV or the login form) it increments the "bad login" counter?
Sounds like a plan, anyway :)
Actually, it does not. You have no such thing like a session when all you have is webdav. I dont know if many dav-clients store cookies too - it may depend on your usecase. Without cookies you dont know if a request is the first, second or third time. And just counting per user would make an excellent way to DoS. Regards Tino
On 5/6/05, Tino Wildenhain <tino@wildenhain.de> wrote:
Actually, it does not. You have no such thing like a session when all you have is webdav. I dont know if many dav-clients store cookies too - it may depend on your usecase.
Yes the use-case is Windows Explorer users only.
Without cookies you dont know if a request is the first, second or third time. And just counting per user would make an excellent way to DoS.
It would! However, there's no accounting for client requirements ;) mark
Regards Tino
On May 6, 2005, at 23:52 , mark hellewell wrote:
On 5/6/05, Tino Wildenhain <tino@wildenhain.de> wrote:
Actually, it does not. You have no such thing like a session when all you have is webdav. I dont know if many dav-clients store cookies too - it may depend on your usecase.
Yes the use-case is Windows Explorer users only.
If this is supposed to use that "Web Folder" thingy in Windoze Explorer you might want to reconsider. That WebDAV implementation is seriously broken. Installing helpers like WebDrive on Windoze seems to make WebDAV access work for many people. jens
Web Folders pass cookies around too, FWIW, so it's probably not strictly necessary to use http basic auth. But without using http basic auth, there is no way to log in unless you have them go to the web interface first, then launch a web folder, so maybe impractical. - C On Sat, 2005-05-07 at 06:31, Jens Vagelpohl wrote:
On May 6, 2005, at 23:52 , mark hellewell wrote:
On 5/6/05, Tino Wildenhain <tino@wildenhain.de> wrote:
Actually, it does not. You have no such thing like a session when all you have is webdav. I dont know if many dav-clients store cookies too - it may depend on your usecase.
Yes the use-case is Windows Explorer users only.
If this is supposed to use that "Web Folder" thingy in Windoze Explorer you might want to reconsider. That WebDAV implementation is seriously broken. Installing helpers like WebDrive on Windoze seems to make WebDAV access work for many people.
jens
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Am Samstag, den 07.05.2005, 12:04 -0400 schrieb Chris McDonough:
Web Folders pass cookies around too, FWIW, so it's probably not strictly necessary to use http basic auth. But without using http basic auth, there is no way to log in unless you have them go to the web interface first, then launch a web folder, so maybe impractical.
Well, in theory its possible if the client accepts cookie to just store the amount of wrong attempts via cookie (or id - which would be the same) and deny any password, be it even the correct one when it comes via basic auth. But I strongly believe this does not save from abuse because its just too easy to remove the cookie or just not accept it in the first place. So I'd say its not worth the work.
On 5/7/05, Tino Wildenhain <tino@wildenhain.de> wrote:
Well, in theory its possible if the client accepts cookie to just store the amount of wrong attempts via cookie (or id - which would be the same) and deny any password, be it even the correct one when it comes via basic auth.
Store the incorrect login count client-side in a cookie?! No way! :)
But I strongly believe this does not save from abuse because its just too easy to remove the cookie or just not accept it in the first place. So I'd say its not worth the work.
Yes, I think it would be a bad idea. mark
On 5/7/05, Chris McDonough <chrism@plope.com> wrote:
Web Folders pass cookies around too, FWIW, so it's probably not strictly necessary to use http basic auth. But without using http basic auth, there is no way to log in unless you have them go to the web interface first, then launch a web folder, so maybe impractical.
That's exactly what's happening at the moment; the WebDAV access is linked to via the web interface after they log in (it's only one small part of a larger system). They log in via the web, gaining a cookie which is passed to the Explorer 'web folders' thing, so when they click on the link to the WebDAV part of the site the cookie is still valid and they don't have to log in to WebDAV. * All I'm trying to do is boost the security of the system overall by ensuring an attacker can't simply sidestep the 'three login failure lockout' just by repeatedly trying to log in via WebDAV. mark * A thought occurs to me after writing it like this. Might it be possible to forbid HTTP Basic auth logins to WebDAV, so that only cookies are the allowed authentication type?
- C
mark hellewell wrote at 2005-5-7 20:22 +0100:
On 5/7/05, Chris McDonough <chrism@plope.com> wrote:
Web Folders pass cookies around too, FWIW, so it's probably not strictly necessary to use http basic auth. But without using http basic auth, there is no way to log in unless you have them go to the web interface first, then launch a web folder, so maybe impractical.
That's exactly what's happening at the moment; the WebDAV access is linked to via the web interface after they log in (it's only one small part of a larger system). They log in via the web, gaining a cookie which is passed to the Explorer 'web folders' thing, so when they click on the link to the WebDAV part of the site the cookie is still valid and they don't have to log in to WebDAV. *
I think this can only work when WebDAV uses the normal HTTP port. However, Powerpoint can get severely confused when it accesses a resource via WebDAV over the HTTP port and the access requires authentication. In this case, Powerpoint uses the login page as resource content. -- Dieter
participants (5)
-
Chris McDonough -
Dieter Maurer -
Jens Vagelpohl -
mark hellewell -
Tino Wildenhain