We'd like to construct a zope login URL of the form on another server: http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_passwor d=xxxxxxx&submit=Log+in where the ac_name and ac_password parameters are encrypted using zope public key (?) and have the parameters decrypted when zope receives the request and login the user. Is there an API or some way to encrypt the username and password on the 3rd party app server and configure zope so that it treats the parameters as encrypted values rather than plaintext? Joseph Thomas College of American Pathologists http://www.cap.org <http://www.cap.org/> Consider our environment; please print this e-mail only if truly necessary. Thank you!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Use SSL and you're done. - -aj On 04.03.2009 17:29 Uhr, Joseph Thomas (s) wrote:
We’d like to construct a zope login URL of the form on another server:
http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_password=xx... <http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_password=xxxxxxx&submit=Log+in>
where the ac_name and ac_password parameters are encrypted using zope public key (?) and have the parameters decrypted when zope receives the request and login the user.
Is there an API or some way to encrypt the username and password on the 3^rd party app server and configure zope so that it treats the parameters as encrypted values rather than plaintext?
Joseph Thomas
College of American Pathologists
http://www.cap.org <http://www.cap.org/>
------------------------------------------------------------------------
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
- -- ZOPYX Ltd. & Co. KG - Charlottenstr. 37/1 - 72070 Tübingen - Germany Web: www.zopyx.com - Email: info@zopyx.com - Phone +49 - 7071 - 793376 Registergericht: Amtsgericht Stuttgart, Handelsregister A 381535 Geschäftsführer/Gesellschafter: ZOPYX Limited, Birmingham, UK - ------------------------------------------------------------------------ E-Publishing, Python, Zope & Plone development, Consulting -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkmurnAACgkQCJIWIbr9KYylKQCgn3WWP5SzGrrAQbJIQXv7Bfac 3fwAoIiI4iwtVBFVRg7jtZu5Vgy5fw3f =MHol -----END PGP SIGNATURE-----
Andreas Jung wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Use SSL and you're done.
SSL solves SSO? I don't think so. Cheers Tino
- -aj
On 04.03.2009 17:29 Uhr, Joseph Thomas (s) wrote:
We’d like to construct a zope login URL of the form on another server:
http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_password=xx... <http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_password=xxxxxxx&submit=Log+in>
where the ac_name and ac_password parameters are encrypted using zope public key (?) and have the parameters decrypted when zope receives the request and login the user.
Is there an API or some way to encrypt the username and password on the 3^rd party app server and configure zope so that it treats the parameters as encrypted values rather than plaintext?
Joseph Thomas
College of American Pathologists
http://www.cap.org <http://www.cap.org/>
------------------------------------------------------------------------
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
- -- ZOPYX Ltd. & Co. KG - Charlottenstr. 37/1 - 72070 Tübingen - Germany Web: www.zopyx.com - Email: info@zopyx.com - Phone +49 - 7071 - 793376 Registergericht: Amtsgericht Stuttgart, Handelsregister A 381535 Geschäftsführer/Gesellschafter: ZOPYX Limited, Birmingham, UK - ------------------------------------------------------------------------ E-Publishing, Python, Zope & Plone development, Consulting
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkmurnAACgkQCJIWIbr9KYylKQCgn3WWP5SzGrrAQbJIQXv7Bfac 3fwAoIiI4iwtVBFVRg7jtZu5Vgy5fw3f =MHol -----END PGP SIGNATURE-----
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Joseph Thomas (s) wrote at 2009-3-4 10:29 -0600:
We'd like to construct a zope login URL of the form on another server: http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_passwor d=xxxxxxx&submit=Log+in where the ac_name and ac_password parameters are encrypted using zope public key (?) and have the parameters decrypted when zope receives the request and login the user. Is there an API or some way to encrypt the username and password on the 3rd party app server and configure zope so that it treats the parameters as encrypted values rather than plaintext?
We are doing this using the Python package "M2Crypto.EVP" for the encryption/decryption. -- Dieter
Thanks, could you elaborate a bit, I'm somewhat new zope/plone: I assume we'd need a shared key on both on ore j2ee server and zope, and did you need to create any changes to Plone PAS? -----Original Message----- From: Dieter Maurer [mailto:dieter@handshake.de] Sent: Thursday, March 05, 2009 1:55 PM To: Joseph Thomas (s) Cc: zope@zope.org Subject: Re: [Zope] sending a encrypted login URL Joseph Thomas (s) wrote at 2009-3-4 10:29 -0600:
We'd like to construct a zope login URL of the form on another server: http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_passwo r d=xxxxxxx&submit=Log+in where the ac_name and ac_password parameters are encrypted using zope public key (?) and have the parameters decrypted when zope receives the request and login the user. Is there an API or some way to encrypt the username and password on the 3rd party app server and configure zope so that it treats the parameters as encrypted values rather than plaintext?
We are doing this using the Python package "M2Crypto.EVP" for the encryption/decryption. -- Dieter Consider our environment; please print this e-mail only if truly necessary. Thank you!
On Thu, Mar 5, 2009 at 21:01, Joseph Thomas (s) <jthomas@cap.org> wrote:
Thanks, could you elaborate a bit, I'm somewhat new zope/plone:
I assume we'd need a shared key on both on ore j2ee server and zope, and did you need to create any changes to Plone PAS?
Tres explained it to you. You have to write a PAS plugin. There are a bunch of PAS plugins available that can serve as example. -aj
Joseph Thomas (s) wrote at 2009-3-5 14:01 -0600:
Thanks, could you elaborate a bit, I'm somewhat new zope/plone:
I assume we'd need a shared key on both on ore j2ee server and zope
"EVP" (documented in the *nix man pages) supports both symmetical as well as unsymmetrical encryption. When you use symmetrical encryption (we do), you need (of course) a shared secret.
and did you need to create any changes to Plone PAS?
We are not using Plone (GPL) but I think that no changes to Plone PAS would be necessary (exception in a moment). Instead of redirecting to "logged_in", you can use a preprocessor (e.g. "remotelogin") which decrypts the information and then calls "logged_in". The problem which might force you the change something: The standard Plone user folders to not provide access to a cleartext password (for obvious security reasons). That means when you want to perform a remotelogin to your partner system, it is not easy to obtain the password for such a remote login. Your partner system may have the same problem when it performs a remote login to Plone. You can use an SSO solution, e.g. CAS. When I have understood correctly, there are PAS plugins supporting CAS. You can also change the PAS plugin that stores the user identification such that is also stores the password (e.g. in the session) such that you can retrieve it for a remote login. -- Dieter
participants (4)
-
Andreas Jung -
Dieter Maurer -
Joseph Thomas (s) -
Tino Wildenhain