Zserver: IP address based authorization?
Hi, I'm new to Zope and haven't figured out how to allow only a specifed set of IP addresses or hostnames access to a folder. I assume that the "domains" attribute of anonymous user permissions could maybe be used here somehow? I haven't seen any documentation this attribute. Or, would using the GenericUserFolder product be the way to go? It looks like it could be adapted to do this, but the description doesn't mention addres based auth explicitly. Thanks, Robb
You could build a new standard header/footer pair and include some dtml-if decisions on IP addresses. Everything that is a peer or child of that folder object would then be allowed/denied based on IP. Would that work? Cheers, Jules On Thu, Feb 03, 2000 at 01:15:48PM +0100, Robb Shecter wrote: |I'm new to Zope and haven't figured out how to allow only a specifed |set of IP addresses or hostnames access to a folder.
Jules wrote:
You could build a new standard header/footer pair and include some dtml-if decisions on IP addresses. Everything that is a peer or child of that folder object would then be allowed/denied based on IP.
Would that work?
Hi, Yes - that would definitely work, and I can do that if I can't find anything else: I think it'd be best to have the authorization be seperated from the content, like the standard authorization is. (BTW, anyone know how questions like this can be put into an FAQ? I'd assume that lots of people might have this one, since this is a feature that Apache has, and needs to be replaced if you go with ZServer all the way.) Thanks, Robb
At 1:15 pm +0100 3/2/00, Robb Shecter wrote:
Hi,
I'm new to Zope and haven't figured out how to allow only a specifed set of IP addresses or hostnames access to a folder.
I assume that the "domains" attribute of anonymous user permissions could maybe be used here somehow? I haven't seen any documentation this attribute.
Essentially yes. Set the password to blank and put the IP addresses you want to provide access to in the domains box. Change the role to be 'Owner' or something and turn off 'Acquire Permissions' and 'View' for the index_html DTML in the target folder. Make the index_html DTML have 'View' permission for the role you've set up. That should do it. There's also some messages lurking in the archives on this issue. tone ------ Dr Tony McDonald, FMCC, Networked Learning Environments Project http://nle.ncl.ac.uk/ The Medical School, Newcastle University Tel: +44 191 222 5888 Fingerprint: 3450 876D FA41 B926 D3DD F8C3 F2D0 C3B9 8B38 18A2
Tony McDonald wrote:
At 1:15 pm +0100 3/2/00, Robb Shecter wrote:
Hi,
I'm new to Zope and haven't figured out how to allow only a specifed set of IP addresses or hostnames access to a folder.
I assume that the "domains" attribute of anonymous user permissions could maybe be used here somehow? I haven't seen any documentation this attribute.
Essentially yes. Set the password to blank and put the IP addresses you want to provide access to in the domains box. Change the role to be 'Owner' or something and turn off 'Acquire Permissions' and 'View' for the index_html DTML in the target folder. Make the index_html DTML have 'View' permission for the role you've set up. That should do it.
Hi, Thanks. What format should the IP addresses be specified in? (ie: a comma seperated list, or...) Are wild cards allowed? Is this documented somewhere? If this (address-based authorization) isn't documented somewhere yet, I can make a "tip" on zope.org, once I get it working... - Robb
At 6:05 pm +0100 3/2/00, Robb Shecter wrote:
Hi,
Thanks. What format should the IP addresses be specified in? (ie: a comma seperated list, or...) Are wild cards allowed? Is this documented somewhere?
mine are space separated. You can use wildcards, *.ncl.ac.uk gets all boxes in our domain. *.ncl.ac.uk *.dur.ac.uk gets two universities. I believe it is documented, but if you're stuck, look at the source :) (lib/python/AccessControl/User.py: I think)
If this (address-based authorization) isn't documented somewhere yet, I can make a "tip" on zope.org, once I get it working...
- Robb
That would be cool, the more How-Tos the better! :) There is a discussion in the archives between Martijn and I over authentication using IP addresses and such. I don't have a URL though :( tone. ------ Dr Tony McDonald, FMCC, Networked Learning Environments Project http://nle.ncl.ac.uk/ The Medical School, Newcastle University Tel: +44 191 222 5888 Fingerprint: 3450 876D FA41 B926 D3DD F8C3 F2D0 C3B9 8B38 18A2
participants (3)
-
Jules -
Robb Shecter -
Tony McDonald