I'm using zope 2.6.2 and m2crypto and it works great. (Thanks to the writers of the excellent products and packages.) But I would like to be able to set some pages/folders as secure (https) and others as plain (http). I've installed SSLAbsoluteURL but it seems to demand that I use links of a certain format: can't use: (end brackets removed for html email readers) A HREF="/Services/Support/Zope">Zope Support</A but rather must use: A HREF="<dtml-var "Services.Support.Zope" url>">Zope Support</A A HREF="<dtml-var "Zope" url>">Zope Support</A or this: A HREF="&dtml.url-Zope;">Zope Support</A I have several important questions about this. 1. Is my understanding correct? 2. Is there another way to set the links (or better--the pages and folders) to be ssl besides the greatly appreciated but apparently somewhat limited SSLAbsoluteURL format or manually changing each of the links? All of my links are in the format: a href="/root/somewhere/index_html">foo</a and don't find https and I'd rather not change them all if I can help it. 3. If I remove the 's' from 'https' after following one of my encrypted links I can still get the page unencrypted (i.e.http://...). Is there any way to stop this? It seems to defeat the purpose of encryption. Thanks for your help. joshua
On 12/02/2003 12:25 AM, Joshua Newman wrote:
I've installed SSLAbsoluteURL but it seems to demand that I use links of a certain format:
A HREF="/Services/Support/Zope">Zope Support</A
but rather must use:
A HREF="<dtml-var "Services.Support.Zope" url>">Zope Support</A
1. Is my understanding correct?
It is. SSLAbsoluteURL modifies the absolute_url method to detect an SSL property and adjust the returned URL accordingly. It does no magic with "normal" URLs in HTML.
2. Is there another way to set the links (or better--the pages and folders) to be ssl besides the greatly appreciated but apparently somewhat limited SSLAbsoluteURL format or manually changing each of the links? All of my links are in the format:
a href="/root/somewhere/index_html">foo</a
and don't find https and I'd rather not change them all if I can help it.
I feel your pain. :-) I'm still trying to figure out the best way to do this since I (the author of SSLAbsoluteURL) don't particularly care for having to munge my URLs either. I've gone back to just spelling it out with the full URL when I need to go to SSL or back. I don't like that either, but it works. The problem is (or was at the time I wrote SSLAbsoluteURL) that the HTML is not preprocessed by anything in Zope. That is, there's nowhere to put a program for handling an href attribute. Although... hmmm... since Page Template source is parsed, I'm wondering if there's some way to do this with Page Templates. I'll look into it eventually.
3. If I remove the 's' from 'https' after following one of my encrypted links I can still get the page unencrypted (i.e.http://...). Is there any way to stop this? It seems to defeat the purpose of encryption.
If you were using Apache SSL, you could handle this via Apache config, but I don't know about m2crypto. -- Ron Bickers Logic Etc, Inc.
On Mon, 2003-12-01 at 21:25, Joshua Newman wrote:
I've installed SSLAbsoluteURL but it seems to demand that I use links of a certain format: can't use: (end brackets removed for html email readers) A HREF="/Services/Support/Zope">Zope Support</A
but rather must use:
A HREF="<dtml-var "Services.Support.Zope" url>">Zope Support</A A HREF="<dtml-var "Zope" url>">Zope Support</A or this: A HREF="&dtml.url-Zope;">Zope Support</A
I haven't used that package... but at some level, you're just returning a string with https:// in it. The client neither knows nor cares how it was generated. There are plenty of ways you could wrap your hrefs in something that checked which protocol the link should be served under. Say, for example, you had an object called http_mode that you put at the root of any hierarchy that needed a particular http/https value set. Then you could pass link hrefs to something like: --- split_url = my_url.split(':') split_url[0] = context.http_mode() return ':'.join(split_url) ---
3. If I remove the 's' from 'https' after following one of my encrypted links I can still get the page unencrypted (i.e.http://...). Is there any way to stop this? It seems to defeat the purpose of encryption.
This is something that Apache's much better at, honestly. But if you want a pure ZServer solution and had already set up those http_mode objects used above, you could easily insert a check that will break non-conforming requests, eg: ---- if context.REQUEST.URL.split(':')[0] != context.http_mode(): raise RuntimeError, 'This resource may only be viewed with https' ---- HTH, Dylan
On 2/12/2003, at 6:25 PM, Joshua Newman wrote:
2. Is there another way to set the links (or better--the pages and folders) to be ssl besides the greatly appreciated but apparently somewhat limited SSLAbsoluteURL format or manually changing each of the links? All of my links are in the format:
a href="/root/somewhere/index_html">foo</a
and don't find https and I'd rather not change them all if I can help it.
3. If I remove the 's' from 'https' after following one of my encrypted links I can still get the page unencrypted (i.e.http://...). Is there any way to stop this? It seems to defeat the purpose of encryption.
One solution is to write an access rule that redirects an incoming http request to the https equivalent url. Then use this access rule in any of the folders that you wont to be accessed only via https. Such an access rule would look something like if not request.environ.get('HTTPS',None): url = 'https://' + request.HTTP_HOST + request.PATH_INFO if request.QUERY_STRING: url += '?' + request.QUERY_STRING response.redirect( url, status=301, lock=1 ) Michael
participants (4)
-
Dylan Reinhardt -
Joshua Newman -
Michael Dunstan -
Ron Bickers