[Zope-dev] Re: I'm locked out of managing my CMF folders, because it asks me to log in and the password doesn't work.

Don Hopkins xardox@mindspring.com
Sun, 3 Mar 2002 22:46:28 -0800


Hmm, after looking at the logs, it seems like it's not passing authorization
info through the virtual host proxy rewrite rule.
When I set Apache up to use a proxy rewrite rule, it asks me to log in
instead of showing the folder manager, and the hits come from anonymous:

[apache configuration for the name based virtual server DonHopkins.com]

RewriteRule ^/(.*) http://www.DonHopkins.com:8080/Don/Hopkins/$1 [p]

[zope log of clicking in logged in zope manager tree view on "/Don/Hopkins"
cmf folder, which contains a virtual host monster]

216.175.91.16 - dhopkins [03/Mar/2002:23:33:01 -0700] "GET
/Don/Hopkins/manage_workspace HTTP/1.1" 302 473
"http://www.donhopkins.com:8080/manage_menu" "Mozilla/4.0 (compatible; MSIE
5.5; W\
indows 98)"
216.218.252.133 - Anonymous [03/Mar/2002:23:33:01 -0700] "GET
/Don/Hopkins/manage_main HTTP/1.0" 302 617
"http://www.donhopkins.com:8080/manage_menu" "Mozilla/4.0 (compatible; MSIE
5.5; Win\
dows 98)"
216.218.252.133 - Anonymous [03/Mar/2002:23:33:01 -0700] "GET
/Don/Hopkins/login_form?came_from=http://www.DonHopkins.com/Don/Hopkins/mana
ge_main&retry= HTTP/1.0" 200 4046 "http://www.donho\
pkins.com:8080/manage_menu" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
216.218.252.133 - Anonymous [03/Mar/2002:23:33:01 -0700] "GET
/Don/Hopkins/default_stylesheet HTTP/1.0" 200 5513
"http://www.donhopkins.com/Don/Hopkins/login_form?came_from=http%3A//www.Don
\
Hopkins.com/Don/Hopkins/manage_main&retry=" "Mozilla/4.0 (compatible; MSIE
5.5; Windows 98)"

Notice that the proxy requests come from 216.218.252.133 [the server's ip]
as Anonymous. Is the auth info not getting passed?

But when I change the apache rewrite rule to use external redirect instead
of internal proxy, it works and shows me the folder manager, and the hits
come from the right place, but the url in the browser is unnecessarily long
and nasty.

  RewriteRule ^/(.*) http://www.DonHopkins.com:8080/Don/Hopkins/$1 [R]


216.175.91.16 - dhopkins [03/Mar/2002:23:35:03 -0700] "GET
/Don/Hopkins/manage_workspace HTTP/1.1" 302 473
"http://www.donhopkins.com:8080/manage_menu" "Mozilla/4.0 (compatible; MSIE
5.5; W\
indows 98)"
216.175.91.16 - dhopkins [03/Mar/2002:23:35:04 -0700] "GET
/Don/Hopkins/manage_main HTTP/1.1" 200 32200
"http://www.donhopkins.com:8080/manage_menu" "Mozilla/4.0 (compatible; MSIE
5.5; Wind\
ows 98)"

I've been able to get it to work with external redirects instead of internal
proxy, but the path displayed in the manager doubles it up:
Don/Hopkins/Don/Hopkins ...
So I put in the first rewrite rule with the ^/Don/Hopkins prefix, and that
eliminated the weird double path prefix behavior I was getting.

  RewriteRule ^/Don/Hopkins/(.*)
http://www.DonHopkins.com:8080/Don/Hopkins/$1 [R]

Is there a better way for me to rewrite zope virtual host requests, so the
authentication headers go through properly?
I want to have apache handle https and logging, but let zope handle its own
user authentication.
And I want the url of the web browser to be short and sweet, not showing
:8080 or the virtual host subdirectories.
Should I be using fastcgi (or slow cgi) instead of internal proxy, and
trying to trick it into passing the authorization in its own way?

Thanks a lot for the help! There are so many options it's quite
overwhelming...

    -Don

----- Original Message -----
From: "Leonardo Rochael Almeida" <leo@hiper.com.br>
To: "Don Hopkins" <xardox@mindspring.com>
Cc: "Zope Developers" <zope-dev@zope.org>
Sent: Sunday, March 03, 2002 9:14 PM
Subject: Re: [Zope-dev] I'm locked out of managing my CMF folders, becauseit
asks me to log in and the password doesn't work.


> On Mon, 2002-03-04 at 01:36, Don Hopkins wrote:
> > I am now locked out my CMF site, and I can't figure out how to get back
in.
> > [...]
> > I can log into the top level Zope manager, and look at the Zope tree. I
just
> > can't manage_edit my CMF site.
> > When I click on a CMF site in the tree on the left, it does not edit the
> > directory view in the main frame.
> > Instead, it goes to the CMF login page in that frame.
>
> Are you using Mozilla, Netscape >= 6.0 or another mozilla based browser?
> If so, you might be hitting a little odd-but-rfc-allowed mozilla
> behaviour where, even after asking the user for basic-auth credentials
> for a protected page, it doesn't send them for other protected pages in
> the same domain until the web server has responded with
> 'authorization-required' for every one of them. Because of that, when
> you're viewing a page in Zope that is protected by cookie based
> authentication, mozilla will not send basic-auth credentials at first,
> causing the cookie login form to kick in before zope issues an
> 'authorization-required' response.
>
> I hope this explanation is not too confusing :-)
>
> Anyway, try accessing your site with another browser to see if the
> problem persists. Konqueror, for instance, doesn't have this problem.