[Zope-dev] Re: I'm locked out of managing my CMF folders, because it asks me to log in and the password doesn't work.

Leonardo Rochael Almeida leo@hiper.com.br
04 Mar 2002 14:41:16 -0300 

Based on your description below, it seems your RewriteRule is not writen
correctly. To make proper use of the VirtualHostMonster it should read
(all in one line):

RewriteRule ^(.*)$
http://localhost:8080/VirtualHostBase/http/www.DonHopkins.com/80/Don/Hopkins/VirtualHostRoot$1 [P,L]

The 'L' in '[P,L]' is optional but makes sure this is the last rewrite
rule to be applied. The 'localhost:8080' part could be anything as long
as it finds the correct Zope. The
'VirtualHostBase/http/www.DonHopkins.com/80/' part (including the '/80'
part is really important to make sure Zope knows which server it is
pretending to be from and display the proper 'host part' of generated
URL's AND AUTHENTICATION MECHANISMS (this is the part that could be
biting you). The '/Don/Hopkins/' part before the VirtualHostRoot tells
zope which folder it is actually serving and the 'VirtualHostRoot$1'
part makes sure Zope knows it is pretending that 'Don/Hopkins' is the
root of the URL space.

You can think of it as meaning the /Don/Hopkins folder of the
localhost:8080 Zope is mounted in the root folder of
www.DonHopkins.com:80.

Making sure Zope correctly knows where it's pretending to be from is
very important in authentication/authorization matters, since browsers
promptly discard any authentication request (and cookie requests, for
that matter) for a site they are not visiting as a means to prevent
cross site exploits.

Other than that, Proxying thru apache should pass authentication headers
normally, without any other effort on your part.

Cheers, Leo

On Mon, 2002-03-04 at 03:46, Don Hopkins wrote:
> Hmm, after looking at the logs, it seems like it's not passing authorization
> info through the virtual host proxy rewrite rule.
> When I set Apache up to use a proxy rewrite rule, it asks me to log in
> instead of showing the folder manager, and the hits come from anonymous:
> 
> [apache configuration for the name based virtual server DonHopkins.com]
> 
> RewriteRule ^/(.*) http://www.DonHopkins.com:8080/Don/Hopkins/$1 [p]
> 
> [zope log of clicking in logged in zope manager tree view on "/Don/Hopkins"
> cmf folder, which contains a virtual host monster]
> 
> 216.175.91.16 - dhopkins [03/Mar/2002:23:33:01 -0700] "GET
> /Don/Hopkins/manage_workspace HTTP/1.1" 302 473
> "http://www.donhopkins.com:8080/manage_menu" "Mozilla/4.0 (compatible; MSIE
> 5.5; W\
> indows 98)"
> 216.218.252.133 - Anonymous [03/Mar/2002:23:33:01 -0700] "GET
> /Don/Hopkins/manage_main HTTP/1.0" 302 617
> "http://www.donhopkins.com:8080/manage_menu" "Mozilla/4.0 (compatible; MSIE
> 5.5; Win\
> dows 98)"
> 216.218.252.133 - Anonymous [03/Mar/2002:23:33:01 -0700] "GET
> /Don/Hopkins/login_form?came_from=http://www.DonHopkins.com/Don/Hopkins/mana
> ge_main&retry= HTTP/1.0" 200 4046 "http://www.donho\
> pkins.com:8080/manage_menu" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> 216.218.252.133 - Anonymous [03/Mar/2002:23:33:01 -0700] "GET
> /Don/Hopkins/default_stylesheet HTTP/1.0" 200 5513
> "http://www.donhopkins.com/Don/Hopkins/login_form?came_from=http%3A//www.Don
> \
> Hopkins.com/Don/Hopkins/manage_main&retry=" "Mozilla/4.0 (compatible; MSIE
> 5.5; Windows 98)"
> 
> Notice that the proxy requests come from 216.218.252.133 [the server's ip]
> as Anonymous. Is the auth info not getting passed?
> 
> But when I change the apache rewrite rule to use external redirect instead
> of internal proxy, it works and shows me the folder manager, and the hits
> come from the right place, but the url in the browser is unnecessarily long
> and nasty.
> 
>   RewriteRule ^/(.*) http://www.DonHopkins.com:8080/Don/Hopkins/$1 [R]
> 
> 
> 216.175.91.16 - dhopkins [03/Mar/2002:23:35:03 -0700] "GET
> /Don/Hopkins/manage_workspace HTTP/1.1" 302 473
> "http://www.donhopkins.com:8080/manage_menu" "Mozilla/4.0 (compatible; MSIE
> 5.5; W\
> indows 98)"
> 216.175.91.16 - dhopkins [03/Mar/2002:23:35:04 -0700] "GET
> /Don/Hopkins/manage_main HTTP/1.1" 200 32200
> "http://www.donhopkins.com:8080/manage_menu" "Mozilla/4.0 (compatible; MSIE
> 5.5; Wind\
> ows 98)"
> 
> I've been able to get it to work with external redirects instead of internal
> proxy, but the path displayed in the manager doubles it up:
> Don/Hopkins/Don/Hopkins ...
> So I put in the first rewrite rule with the ^/Don/Hopkins prefix, and that
> eliminated the weird double path prefix behavior I was getting.
> 
>   RewriteRule ^/Don/Hopkins/(.*)
> http://www.DonHopkins.com:8080/Don/Hopkins/$1 [R]
> 
> Is there a better way for me to rewrite zope virtual host requests, so the
> authentication headers go through properly?
> I want to have apache handle https and logging, but let zope handle its own
> user authentication.
> And I want the url of the web browser to be short and sweet, not showing
> :8080 or the virtual host subdirectories.
> Should I be using fastcgi (or slow cgi) instead of internal proxy, and
> trying to trick it into passing the authorization in its own way?
> 
> Thanks a lot for the help! There are so many options it's quite
> overwhelming...
> 
>     -Don
> 
> ----- Original Message -----
> From: "Leonardo Rochael Almeida" <leo@hiper.com.br>
> To: "Don Hopkins" <xardox@mindspring.com>
> Cc: "Zope Developers" <zope-dev@zope.org>
> Sent: Sunday, March 03, 2002 9:14 PM
> Subject: Re: [Zope-dev] I'm locked out of managing my CMF folders, becauseit
> asks me to log in and the password doesn't work.
> 
> 
> > On Mon, 2002-03-04 at 01:36, Don Hopkins wrote:
> > > I am now locked out my CMF site, and I can't figure out how to get back
> in.
> > > [...]
> > > I can log into the top level Zope manager, and look at the Zope tree. I
> just
> > > can't manage_edit my CMF site.
> > > When I click on a CMF site in the tree on the left, it does not edit the
> > > directory view in the main frame.
> > > Instead, it goes to the CMF login page in that frame.
> >
> > Are you using Mozilla, Netscape >= 6.0 or another mozilla based browser?
> > If so, you might be hitting a little odd-but-rfc-allowed mozilla
> > behaviour where, even after asking the user for basic-auth credentials
> > for a protected page, it doesn't send them for other protected pages in
> > the same domain until the web server has responded with
> > 'authorization-required' for every one of them. Because of that, when
> > you're viewing a page in Zope that is protected by cookie based
> > authentication, mozilla will not send basic-auth credentials at first,
> > causing the cookie login form to kick in before zope issues an
> > 'authorization-required' response.
> >
> > I hope this explanation is not too confusing :-)
> >
> > Anyway, try accessing your site with another browser to see if the
> > problem persists. Konqueror, for instance, doesn't have this problem.
> 
> 
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
> 
> 
-- 
Ideas don't stay in some minds very long because they don't like
solitary confinement.