[Zope] Zope security management

Tres Seaver tseaver@digicool.com
Tue, 20 Mar 2001 09:48:47 -0500


Bill Welch wrote:

> To achieve genuine security, you have to do something about the 'password
> in the clear' problem.
> 
> part 1)  With basic auth (the zope default), the user's name and password
> are sent in the clear with every request.
> 
> part 2) With form based login (login manager, zmc), the user's name and
> password are sent in the clear when the login form is submitted.
> 
> Solution: Have to go with form based login that uses ssl to send user's
> name and password. Unfortunately, in my experience, ssl support for zope
> is only thrid party (no offense to Mr. Siong or Mr. Bickers, thanks for
> your work so far) and hard to integrate, when this is really a core
> requirement.
> 
> I think this is something that DC has to handle.

The standards-compliant way to deal with this problem is to use
HTTP Digest Auth, as specified in RFC 2617:

  http://www.ietf.org/rfc/rfc2617.txt

Doing digest auth properly is a future direction for Zope, because
it will help our WebDAV integration story (tools like cadaver do
digest auth already).

Given the availability of Apache+SSL (and otherz like Roxen) to
front-end Zope, we are highly unlikely to add SSL into the Zope
core;  it incurs non-trivial development and configuration costs
for those who *don't* need it.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@digicool.com
Digital Creations     "Zope Dealers"       http://www.zope.org