Russell, I sympathize. I am in a similar position (corporate intranet uses a proxy that authenticates before proxying). My solution so far has been to use Zope-2.6.2 in PCGI mode. This has left quite a bit to be desired (slow, seem to be some buffering issues that prevent download of large content). I've brought it up on on this list before but everybody says the same thing that they are saying to you, i.e. "that's the wrong way to do it". Unfortunately, for me it is the only way I'm allowed to do it. I was quite optimistic that Plone might catch on here, but I can't even get my site to work 100% so people are quite hesitant to use it. Because I'm using PCGI I'm stuck with Zope-2.6.2 so not only does the site not work 100%, I can't even run new versions of anything. You might look at some of the customizable authentication products. I've looked at some of them and while several claim great flexibility through custom plug-ins, I couldn't really understand how to accomplish what I needed to do. If you find a solution, let me know. -- Mike
-----Original Message----- From: zope-bounces@zope.org [mailto:zope-bounces@zope.org] On Behalf Of Russell Seymour Sent: Friday, October 29, 2004 6:17 AM To: Cliff.Ford@ed.ac.uk Cc: zope@zope.org Subject: Re: [Zope] Apache ProxyPass to Zope
Thanks for the suggestions Cliff, the thing is that I need Apache to take care of the authentication.
This is because I am setting up a Zope application within an existing Virtual Host which already has the authentication setup on it. This is done using a Perl script which communicates with a Windows 2003 AD. I want to keep it this way so that it is easy to understand where the authntication is taking place and is only in one place.
Is it not possible to do what I want to do at all?
Thanks, Russell
Cliff Ford wrote:
I guess I would put it a bit stronger than Tino: don't waste your time trying to authenticate with Apache. Just past the request through Apache to Zope and do the authentication there. In my site, one of the things that Apache does is switch to secure mode (https) for login. It is Zope that needs to authenticate by changing its AUTHENTICATED_USER from Anonymous to something else.
Cliff
Russell Seymour wrote:
Good evening list,
I have been trying to get the REMOTE_USER variable to be seen by Zope. I have almost got there by using various articles on the Internet, but I need a little bit of help to get the last bit working.
I have got Apache performing the authentication and this works well as I get the Zope page when I enter a valid username and password. I have noticed that the Z2 log file for my Zope instances contains the username that I have used to access the site, but I cannot get Zope itself to see the username - this is the most confusing bit for me as it surely means that the username is being passed to Zope.
The following is a snippet from my Apache:
<Location /zope> AuthName "Zope Access" AuthType Basic
<AUTHENTICATION ROUTINES> require valid-user
ProxyPass http://x.x.x.x:8080/zope
</Location>
ProxyPassReverse /zope http://x.x.x.x:8080/zope
This all works brilliantly apart from the fact that I cannot get the username in Zope. I need this do I can do some custom authorisation to a database that my Zope application accesses.
I have tried many different variations using RewriteRule and trying to set the environment variables but to no avail.
Thanks to anyone that can give me some pointers.
Russell _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
I was shooting from the hip last night, having just come in from a 'good night out'. I don't know if this would work, head being still a bit fuzzy, but here is how I might approach the problem: Users logged into Zope have a cookie called __aca (using exUserFolder with secure cookies at least) so you might test for its existence to see if the user is logged in (to avoid authentication for every page and every graphic). If not, just call whatever function the Zope login page calls, passing it the form variables __ac_name and __ac_password. If that works then just call the original page with the returned __aca cookie. With exUserFolder you can call any external authentication method - just pass it the Username and Password and it should return true or false. You should be able to call the Perl script mentioned. I think Zope basic authentication uses something other than __aca so you will need to figure out what to test for. Oh - and set the security permissions in Zope so that authentication is required in case you get it wrong and leave security holes. Cliff Tiller, Michael (M.M.) wrote:
Russell,
I sympathize. I am in a similar position (corporate intranet uses a proxy that authenticates before proxying). My solution so far has been to use Zope-2.6.2 in PCGI mode. This has left quite a bit to be desired (slow, seem to be some buffering issues that prevent download of large content). I've brought it up on on this list before but everybody says the same thing that they are saying to you, i.e. "that's the wrong way to do it". Unfortunately, for me it is the only way I'm allowed to do it. I was quite optimistic that Plone might catch on here, but I can't even get my site to work 100% so people are quite hesitant to use it. Because I'm using PCGI I'm stuck with Zope-2.6.2 so not only does the site not work 100%, I can't even run new versions of anything.
You might look at some of the customizable authentication products. I've looked at some of them and while several claim great flexibility through custom plug-ins, I couldn't really understand how to accomplish what I needed to do.
If you find a solution, let me know.
-- Mike
-----Original Message----- From: zope-bounces@zope.org [mailto:zope-bounces@zope.org] On Behalf
Of
Russell Seymour Sent: Friday, October 29, 2004 6:17 AM To: Cliff.Ford@ed.ac.uk Cc: zope@zope.org Subject: Re: [Zope] Apache ProxyPass to Zope
Thanks for the suggestions Cliff, the thing is that I need Apache to take care of the authentication.
This is because I am setting up a Zope application within an existing Virtual Host which already has the authentication setup on it. This
is
done using a Perl script which communicates with a Windows 2003 AD. I want to keep it this way so that it is easy to understand where the authntication is taking place and is only in one place.
Is it not possible to do what I want to do at all?
Thanks, Russell
Cliff Ford wrote:
I guess I would put it a bit stronger than Tino: don't waste your
time
trying to authenticate with Apache. Just past the request through Apache to Zope and do the authentication there. In my site, one of
the
things that Apache does is switch to secure mode (https) for login.
It
is Zope that needs to authenticate by changing its
AUTHENTICATED_USER
from Anonymous to something else.
Cliff
Russell Seymour wrote:
Good evening list,
I have been trying to get the REMOTE_USER variable to be seen by Zope. I have almost got there by using various articles on the Internet, but I need a little bit of help to get the last bit
working.
I have got Apache performing the authentication and this works well as I get the Zope page when I enter a valid username and password.
I
have noticed that the Z2 log file for my Zope instances contains
the
username that I have used to access the site, but I cannot get Zope itself to see the username - this is the most confusing bit for me
as
it surely means that the username is being passed to Zope.
The following is a snippet from my Apache:
<Location /zope> AuthName "Zope Access" AuthType Basic
<AUTHENTICATION ROUTINES> require valid-user
ProxyPass http://x.x.x.x:8080/zope
</Location>
ProxyPassReverse /zope http://x.x.x.x:8080/zope
This all works brilliantly apart from the fact that I cannot get
the
username in Zope. I need this do I can do some custom
authorisation
to a database that my Zope application accesses.
I have tried many different variations using RewriteRule and trying to set the environment variables but to no avail.
Thanks to anyone that can give me some pointers.
Russell _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Just to add to that last message. If I type this into my browser url box: http://www.mysite.com/docLoginAction?__ac_name=myname&__ac_password=mypass &destination=http://www.mysite.com/admin/index.html (all on one line) I get straight into an area where login is required without going through the Zope login dialog. I wouldn't type this of course, for obvious security reasons. In Apache, you just need to test for the existence of the Zope 'authenticated indicator' (if that is possible) and do this sort of rewrite if the parameter does not exist. Cliff Tiller, Michael (M.M.) wrote:
Russell,
I sympathize. I am in a similar position (corporate intranet uses a proxy that authenticates before proxying). My solution so far has been to use Zope-2.6.2 in PCGI mode. This has left quite a bit to be desired (slow, seem to be some buffering issues that prevent download of large content). I've brought it up on on this list before but everybody says the same thing that they are saying to you, i.e. "that's the wrong way to do it". Unfortunately, for me it is the only way I'm allowed to do it. I was quite optimistic that Plone might catch on here, but I can't even get my site to work 100% so people are quite hesitant to use it. Because I'm using PCGI I'm stuck with Zope-2.6.2 so not only does the site not work 100%, I can't even run new versions of anything.
You might look at some of the customizable authentication products. I've looked at some of them and while several claim great flexibility through custom plug-ins, I couldn't really understand how to accomplish what I needed to do.
If you find a solution, let me know.
-- Mike
-----Original Message----- From: zope-bounces@zope.org [mailto:zope-bounces@zope.org] On Behalf
Of
Russell Seymour Sent: Friday, October 29, 2004 6:17 AM To: Cliff.Ford@ed.ac.uk Cc: zope@zope.org Subject: Re: [Zope] Apache ProxyPass to Zope
Thanks for the suggestions Cliff, the thing is that I need Apache to take care of the authentication.
This is because I am setting up a Zope application within an existing Virtual Host which already has the authentication setup on it. This
is
done using a Perl script which communicates with a Windows 2003 AD. I want to keep it this way so that it is easy to understand where the authntication is taking place and is only in one place.
Is it not possible to do what I want to do at all?
Thanks, Russell
Cliff Ford wrote:
I guess I would put it a bit stronger than Tino: don't waste your
time
trying to authenticate with Apache. Just past the request through Apache to Zope and do the authentication there. In my site, one of
the
things that Apache does is switch to secure mode (https) for login.
It
is Zope that needs to authenticate by changing its
AUTHENTICATED_USER
from Anonymous to something else.
Cliff
Russell Seymour wrote:
Good evening list,
I have been trying to get the REMOTE_USER variable to be seen by Zope. I have almost got there by using various articles on the Internet, but I need a little bit of help to get the last bit
working.
I have got Apache performing the authentication and this works well as I get the Zope page when I enter a valid username and password.
I
have noticed that the Z2 log file for my Zope instances contains
the
username that I have used to access the site, but I cannot get Zope itself to see the username - this is the most confusing bit for me
as
it surely means that the username is being passed to Zope.
The following is a snippet from my Apache:
<Location /zope> AuthName "Zope Access" AuthType Basic
<AUTHENTICATION ROUTINES> require valid-user
ProxyPass http://x.x.x.x:8080/zope
</Location>
ProxyPassReverse /zope http://x.x.x.x:8080/zope
This all works brilliantly apart from the fact that I cannot get
the
username in Zope. I need this do I can do some custom
authorisation
to a database that my Zope application accesses.
I have tried many different variations using RewriteRule and trying to set the environment variables but to no avail.
Thanks to anyone that can give me some pointers.
Russell _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
participants (2)
-
Cliff Ford -
Tiller, Michael (M.M.)