[Zope] Zope security management

Bernd Worsch Bernd Worsch <bernd.worsch@frontsite.de>
Mon, 19 Mar 2001 18:54:21 +0100


On Mon, Mar 19, 2001 at 12:07:05PM -0500, Bill Welch wrote:
> To achieve genuine security, you have to do something about the 'password
> in the clear' problem.
> 
> part 1)  With basic auth (the zope default), the user's name and password
> are sent in the clear with every request.
> 
> part 2) With form based login (login manager, zmc), the user's name and
> password are sent in the clear when the login form is submitted.
> 
> Solution: Have to go with form based login that uses ssl to send user's
> name and password. Unfortunately, in my experience, ssl support for zope
> is only thrid party (no offense to Mr. Siong or Mr. Bickers, thanks for
> your work so far) and hard to integrate, when this is really a core
> requirement.
> 
> I think this is something that DC has to handle.
> 
> Bill.
> 

Well your quite right, but this is another problem with zope security
and more or less independent of zope security management features.

BTW isn't it normally recommended to shield z-server by apache doing
for the ssl stuff? If so, then there at least is some workaround possible.

The kind of complicated and unusal management of security in zope on
the other hand applies even, when only doing intranet stuff without
any connection to the outside. As pointed out before the problem isn't
that one can't realize the security policy he/she wishes but that it is
quite painful at times.

Suppose the following object/folder hierarchy:

  A containing AA and AB. AA containing AAA and AAB, AB containing ABA and ABB.
  
  A 
   AA
    AAA
    AAB
   AB
    ABA
    ABB

  Suppose there is a role R which grants access to some objects. All the users
  have role R everywhere except in AAA and ABA. As far as i know there is no
  way to realize this security policy using role R alone.

  What you can do, is click through the security tabs in AAA and ABA so that
  role R isn't known in AAA and ABA blocking access to them. Then you define
  the role S in AAA and ABA, by checking the same boxes as you had in role R.
  Now you can give some of your users the local role S in AAA and ABA.

So, it works but it isn't really funny. But maybe i'm mistaken and there is
an elegant solution for this kind of policy?  

best regards 
Bernd   

-- 

-----Bernd Worsch-----------bernd.worsch@frontsite.de--------