Hi all, I'm a newbie to zope, working on installing a plone website for the radiology department at the University of Washington. I want to use SSO so that my content creators don't need to remember additional login/passwd for my site. I've been working on getting apache proxying and pubcookie authentication to work with Zope (2.9.4? installed via the plone 2.5.1 installer and also by hand). Instructions for doing this can be found at http://www.washington.edu/webinfo/case/zope/ So far, the apache proxy and mod_pubcookie parts of the puzzle seem to be working just fine. I can protect a directory with AuthType UWNetID and all works as expected, and the proxy rewrites I've generated seem to be redirecting traffic from my port 80 apache instance to my zope instance as expected. Logging in at the pubcookie login server also works, but when I'm redirected back to my zope instance, I am prompted for a login/password, and no matter what I give, I am locked out. I have been able to log in to my zope instance via localhost:8080/manage, and when I've added the 'access' file with my username, a colon, and a newline, no password is required to login. So I think the 'RemoteUserAuth' plugin described at the above site is working correctly. I have debugged the interaction from the apache side as far as I am able, and I know that the appropriate headers are being sent to zope via the mod_fba module in apache. What I can't do, and what I need help with, is debugging the zope half of this interaction. I don't fully grasp the way that user authentication works in zope. I'm not sure where to begin to look for the problem here, and I'm hoping someone can help. I'm a python newbie, so I might need a little hand-holding, but I'm an experienced programmer, and willing to do pretty much anything to figure this one out. The success of my plone site really depends on it. The expected behavior is that mod_fba sets an authorization header with a username from pubcookie and sends it to zope with a page request for the ZMI. Zope is supposed to enter _remote_user_mode (as I understand it) because I've provided the 'access' file, and then set the credential name using that header. Zope then uses that name for authorization, taking for granted that it has been authenticated, and not checking passwords. This appears to be happening correctly when I try to directly access the ZMI via localhost:8080/manage. I can give a user name and no password and am logged in as expected. However, when I try to access the ZMI via apache (http://myhost.com/manage which gets rewritten to http://localhost:8080/manage in apache proxy), I am prompted via basic auth for username and password, and anything I enter is rejected. Can anyone help me to figure out how I can debug the interaction here? Perhaps taking a look at the headers that apache is supposed to be sending once they arrive in zope? Any other suggestions would be wholly and warmly welcomed. Thanks for anything you might offer, Cris ******************************** Cris Ewing CME and Telehealth Web Services Department of Radiology Web Services University of Washington School of Medicine Work Phone: (206) 685-9116 Home Phone: (206) 365-3413 E-mail: cewing@u.washington.edu *******************************
I have been able to log in to my zope instance via localhost:8080/manage, and when I've added the 'access' file with my username, a colon, and a newline, no password is required to login. So I think the 'RemoteUserAuth' plugin described at the above site is working correctly. I don't know this kind of SSO. Seems to be complicated. CACSiteRoot and RemoteUserAuth I don't know any of these... Think it will be difficult to help you until there is somebody that used those things, but maybe I'm wrong :)
I don't fully grasp the way that user authentication works in zope. I'm not sure where to begin to look for the problem here, and I'm hoping someone can help. You may read about Zope Security system on plope.org in Zope Book 2.7 edition.
You may want to take look at error_log, and maybe remove unauthorized from the list of omited exceptions there. Additionally you may want to enable VerboseSecurity in zope.conf. AFAIR you need to uncomment: SecurityPolicyImplementation Python VerboseSecurity On Maybe then you'll see more informations. And how to debug zope part of authentication... You may possibly take a look at the sources of RemoteUserAuth. It is possibly something with that. Simplest debugging may be done by adding print 'hello - im here!' statements to the RemoteUserAuth code, and then running Zope with ./runzope (or runzope.bat on Windows). It doesn't detach from console and you'll see your printed statements. You may also use pdb - python debugger: http://plone.org/documentation/how-to/using-pdb
However, when I try to access the ZMI via apache (http://myhost.com/manage which gets rewritten to http://localhost:8080/manage in apache proxy), I am prompted via basic auth for username and password, and anything I enter is rejected. Typically apache rewrites make use of VirtualHostMonster in Zope but your's how to uses different syntax.
The expected behavior is that mod_fba sets an authorization header with a username from pubcookie and sends it to zope with a page request for the ZMI. I don't understand why this SSO is about ZMI? ZMI is Zope Management Interface - so it is rather for managers/programmers, not for typical users. Strange.
We've sucessfully implemented SSO solution with CAS. There are nice plugins for Zope and Plone to deal with this. -- Maciej Wisniowski
Maciej, Thanks for the tips. I will try adding print statements and see where that leads me. As for understanding pubcookie, I'm not sure that's totally necessary. I'm quite certain that that part of the operation is working correctly, It's just what happens after that that I'm having problems with. If you are interested, the 'RemoteUserAuth' product and it's companion, 'CACSiteRoot', the sources can be downloaded from the tutorial page: http://www.washington.edu/webinfo/case/zope/ It'd be great, though if there were zope gurus out there who had experience working with pubcookie. I've found a few messages on boards from a while back that seemed to indicate that there were folks working on a PAS plugin that would incorporate pubcookie, but I haven't seen any information indicating that that was ever successful. C ******************************** Cris Ewing CME and Telehealth Web Services Department of Radiology Web Services University of Washington School of Medicine Work Phone: (206) 685-9116 Home Phone: (206) 365-3413 E-mail: cewing@u.washington.edu ******************************* On Thu, 16 Nov 2006, Maciej Wisniowski wrote:
I have been able to log in to my zope instance via localhost:8080/manage, and when I've added the 'access' file with my username, a colon, and a newline, no password is required to login. So I think the 'RemoteUserAuth' plugin described at the above site is working correctly. I don't know this kind of SSO. Seems to be complicated. CACSiteRoot and RemoteUserAuth I don't know any of these... Think it will be difficult to help you until there is somebody that used those things, but maybe I'm wrong :)
I don't fully grasp the way that user authentication works in zope. I'm not sure where to begin to look for the problem here, and I'm hoping someone can help. You may read about Zope Security system on plope.org in Zope Book 2.7 edition.
You may want to take look at error_log, and maybe remove unauthorized from the list of omited exceptions there. Additionally you may want to enable VerboseSecurity in zope.conf. AFAIR you need to uncomment:
SecurityPolicyImplementation Python VerboseSecurity On
Maybe then you'll see more informations.
And how to debug zope part of authentication... You may possibly take a look at the sources of RemoteUserAuth. It is possibly something with that. Simplest debugging may be done by adding
print 'hello - im here!'
statements to the RemoteUserAuth code, and then running Zope with ./runzope (or runzope.bat on Windows). It doesn't detach from console and you'll see your printed statements. You may also use pdb - python debugger:
http://plone.org/documentation/how-to/using-pdb
However, when I try to access the ZMI via apache (http://myhost.com/manage which gets rewritten to http://localhost:8080/manage in apache proxy), I am prompted via basic auth for username and password, and anything I enter is rejected. Typically apache rewrites make use of VirtualHostMonster in Zope but your's how to uses different syntax.
The expected behavior is that mod_fba sets an authorization header with a username from pubcookie and sends it to zope with a page request for the ZMI. I don't understand why this SSO is about ZMI? ZMI is Zope Management Interface - so it is rather for managers/programmers, not for typical users. Strange.
We've sucessfully implemented SSO solution with CAS. There are nice plugins for Zope and Plone to deal with this.
-- Maciej Wisniowski
Does the 2.7 edition of the zope book that I can find on plope.org cover security as handled by PAS? No.
If you are interested, the 'RemoteUserAuth' product and it's companion, 'CACSiteRoot', the sources can be downloaded from the tutorial page:
Yup, I've just downloaded those. Seems that RemoteUserAuth does some dirty hacks in Zope publisher :/ This seems to be from 2004. I'm not sure if it'll work with newer Zope versions. CACSiteRoot seems to translate URLs... something like VirtualHostMonster. But I'm not sure why somebody reinvented the whell so it possibly does something more.
It'd be great, though if there were zope gurus out there who had experience working with pubcookie. I've found a few messages on boards from a while back that seemed to indicate that there were folks working on a PAS plugin that would incorporate pubcookie, but I haven't seen any information indicating that that was ever successful. Hm... I've looked at: http://www.pubcookie.org/docs/how-pubcookie-works.html
This is not detailed enough but seems that it should be not difficult to do it with PAS. In general it is a bit similiar to CAS solution, but CAS doesn't use so much cookies. I mean CAS4PAS may be a good base for Pubcookie4PAS :) If you want to know more about PAS take a look into it's sources at interfaces.py and docs/. If you want you may take a look at CAS4PAS plugin. It is simple, but it is good to know how CAS and PAS works to understand this. -- Maciej Wisniowski
On Thu, 16 Nov 2006, Maciej Wisniowski wrote:
Does the 2.7 edition of the zope book that I can find on plope.org cover security as handled by PAS? No. I saw the second message for this, so what I read about order of actions in th 2.7 book will apply to how PAS is working as well? I just don't want to get confused by learning something that isn't actually how my system is working.
If you are interested, the 'RemoteUserAuth' product and it's companion, 'CACSiteRoot', the sources can be downloaded from the tutorial page:
Yup, I've just downloaded those.
Seems that RemoteUserAuth does some dirty hacks in Zope publisher :/ This seems to be from 2004. I'm not sure if it'll work with newer Zope versions. CACSiteRoot seems to translate URLs... something like VirtualHostMonster. But I'm not sure why somebody reinvented the whell so it possibly does something more.
Yeah, I'm not so sure either, but the instructions say to use them, so I'm using them. I think the reason for CACSiteRoot is to preserve the http/https nature of the original request header, but why is not totally clear to me (to say the least) ;)
It'd be great, though if there were zope gurus out there who had experience working with pubcookie. I've found a few messages on boards from a while back that seemed to indicate that there were folks working on a PAS plugin that would incorporate pubcookie, but I haven't seen any information indicating that that was ever successful. Hm... I've looked at: http://www.pubcookie.org/docs/how-pubcookie-works.html
This is not detailed enough but seems that it should be not difficult to do it with PAS. In general it is a bit similiar to CAS solution, but CAS doesn't use so much cookies. I mean CAS4PAS may be a good base for Pubcookie4PAS :)
If you want to know more about PAS take a look into it's sources at interfaces.py and docs/. Yeah, I knew I'd need to get good at reading python sooner or later.
If you want you may take a look at CAS4PAS plugin. It is simple, but it is good to know how CAS and PAS works to understand this. I will do so. This seems a good place to start
-- Maciej Wisniowski
I saw the second message for this, so what I read about order of actions in th 2.7 book will apply to how PAS is working as well? I just don't want to get confused by learning something that isn't actually how my system is working. What order of actions? 2.7 book's part about security describes general concepts of Zope security. It is rather essential to know these things (like roles, permissions etc). If you use PAS then PAS becomes part of this. Read text files in docs/ in PluggableUserFolder, these are helpful too.
-- Maciej Wisniowski
Maciej, I've begun reading the docs in the PluggableAuthService product and will do the same for the docs in PluggableUserFolders. I'm finding that the docs for PAS are telling me a bit of what I need to know. When I've read more, and am more able to describe my troubles, I'll return. Thanks for the info today. Cris ******************************** Cris Ewing CME and Telehealth Web Services Department of Radiology Web Services University of Washington School of Medicine Work Phone: (206) 685-9116 Home Phone: (206) 365-3413 E-mail: cewing@u.washington.edu ******************************* On Fri, 17 Nov 2006, Maciej Wisniowski wrote:
I saw the second message for this, so what I read about order of actions in th 2.7 book will apply to how PAS is working as well? I just don't want to get confused by learning something that isn't actually how my system is working. What order of actions? 2.7 book's part about security describes general concepts of Zope security. It is rather essential to know these things (like roles, permissions etc). If you use PAS then PAS becomes part of this. Read text files in docs/ in PluggableUserFolder, these are helpful too.
-- Maciej Wisniowski
Does the 2.7 edition of the zope book that I can find on plope.org cover security as handled by PAS? C ******************************** Cris Ewing CME and Telehealth Web Services Department of Radiology Web Services University of Washington School of Medicine Work Phone: (206) 685-9116 Home Phone: (206) 365-3413 E-mail: cewing@u.washington.edu ******************************* On Thu, 16 Nov 2006, Maciej Wisniowski wrote:
I have been able to log in to my zope instance via localhost:8080/manage, and when I've added the 'access' file with my username, a colon, and a newline, no password is required to login. So I think the 'RemoteUserAuth' plugin described at the above site is working correctly. I don't know this kind of SSO. Seems to be complicated. CACSiteRoot and RemoteUserAuth I don't know any of these... Think it will be difficult to help you until there is somebody that used those things, but maybe I'm wrong :)
I don't fully grasp the way that user authentication works in zope. I'm not sure where to begin to look for the problem here, and I'm hoping someone can help. You may read about Zope Security system on plope.org in Zope Book 2.7 edition.
You may want to take look at error_log, and maybe remove unauthorized from the list of omited exceptions there. Additionally you may want to enable VerboseSecurity in zope.conf. AFAIR you need to uncomment:
SecurityPolicyImplementation Python VerboseSecurity On
Maybe then you'll see more informations.
And how to debug zope part of authentication... You may possibly take a look at the sources of RemoteUserAuth. It is possibly something with that. Simplest debugging may be done by adding
print 'hello - im here!'
statements to the RemoteUserAuth code, and then running Zope with ./runzope (or runzope.bat on Windows). It doesn't detach from console and you'll see your printed statements. You may also use pdb - python debugger:
http://plone.org/documentation/how-to/using-pdb
However, when I try to access the ZMI via apache (http://myhost.com/manage which gets rewritten to http://localhost:8080/manage in apache proxy), I am prompted via basic auth for username and password, and anything I enter is rejected. Typically apache rewrites make use of VirtualHostMonster in Zope but your's how to uses different syntax.
The expected behavior is that mod_fba sets an authorization header with a username from pubcookie and sends it to zope with a page request for the ZMI. I don't understand why this SSO is about ZMI? ZMI is Zope Management Interface - so it is rather for managers/programmers, not for typical users. Strange.
We've sucessfully implemented SSO solution with CAS. There are nice plugins for Zope and Plone to deal with this.
-- Maciej Wisniowski
participants (2)
-
cristopher pierson ewing -
Maciej Wisniowski