[Zope] SSL for authentication only
Mike Renfro
renfro@tntech.edu
Wed, 1 Aug 2001 15:40:40 -0500
On Wed, Aug 01, 2001 at 06:48:42PM +0000, Stephan Goeldi wrote:
> I only need SSL for the authentication. I think there should be a
> possibility to let Apache look at the url, and if there is a /manage
> string, it would redirect it to the virtual SSL-server. After this,
> encryption is not needed anymore and it can go on at the unencrypted
> virtual server.
We're working on a restricted-access site here where we'll have lots
of usernames/passwords flying around without using the ZMI. So while
intercepting /manage URLs might work in your case, it wouldn't catch
every potential object that might require authentication.
Also, consider the case of adding new users into your acl_users
folder: did you just send a username and password combination over the
network in plaintext while you were creating that user? Was there a
/manage anywhere in the transaction for Apache to intercept and
rewrite?
--
Mike Renfro / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu