[Zope] Re: problems with NTUserFolder.
CLAIN Jephte
minf7@educ.univ-reunion.fr
Wed, 31 May 2000 16:09:31 +0400
"Jay, Dylan" a écrit :
>
> I'm a little confused over this.
> From your previous mail I understood that jcNTUserFolder was to be used only
> behind IIS. It interpreted the REMOTE_USER var passed in after
> challenge/response authentication by IIS and made this into a Zope user.
> Now your talking about jcForceAuth and saying that users login using basic
> authentication with their NT username and password??????
>
> Under what circumstances can you use challenge/response vs basic
> authentication?
My apologies for taking so long to respond. Our mail server had some
problems...
Well, Zope can do both authentication method (but not at the same
time!): 'standard' basic authentication mode or 'remote user'
authentication mode. It depends on the content of the access file. This
is documented somewhere in Zope documentation.
In basic authentication mode, the browser gives Zope the username and
the password, and ask if it is correct. If Zope says 'no', the browser
asks again until the user give the right username/password pair. Zope
can only do the BASIC authentication.
In remote user authentication mode, the web server on top of zope
(apache or IIS, or whatever) *does* the authentication (it checks the
username/password). Once the user is authenticated, the web server
passes Zope the REMOTE_USER variable, which is the username of the
authenticated user.
My product is compatible with the two schemes. However, Zope is unable
to do challenge/response authentication, so you have to put it under a
web server that is capable of doing such authentication (ie, IIS). If
you use my product with vanilla Zope, your users can still authenticate
by using their nt username/password.
This difference is:
- behind IIS, Zope *always* get the user infos, and they are not aware
of it.
- vanilla zope does not brings the authentication dialog if content is
anonymous, so your users can still browse the site while being
anonymous. This is where my jcForceAuth product come in, because it ask
the users to authenticate even if they view anonymous content.
hope it's clear now.
jephte clain
minf7@educ.univ-reunion.fr
ps: I don't speak/write english very well. So if the above is still
unclear, perhaps someone on the list can better explain.