[Zope] Zope security management
Tres Seaver
tseaver@digicool.com
Tue, 20 Mar 2001 09:48:47 -0500
Bill Welch wrote:
> To achieve genuine security, you have to do something about the 'password
> in the clear' problem.
>
> part 1) With basic auth (the zope default), the user's name and password
> are sent in the clear with every request.
>
> part 2) With form based login (login manager, zmc), the user's name and
> password are sent in the clear when the login form is submitted.
>
> Solution: Have to go with form based login that uses ssl to send user's
> name and password. Unfortunately, in my experience, ssl support for zope
> is only thrid party (no offense to Mr. Siong or Mr. Bickers, thanks for
> your work so far) and hard to integrate, when this is really a core
> requirement.
>
> I think this is something that DC has to handle.
The standards-compliant way to deal with this problem is to use
HTTP Digest Auth, as specified in RFC 2617:
http://www.ietf.org/rfc/rfc2617.txt
Doing digest auth properly is a future direction for Zope, because
it will help our WebDAV integration story (tools like cadaver do
digest auth already).
Given the availability of Apache+SSL (and otherz like Roxen) to
front-end Zope, we are highly unlikely to add SSL into the Zope
core; it incurs non-trivial development and configuration costs
for those who *don't* need it.
Tres.
--
===============================================================
Tres Seaver tseaver@digicool.com
Digital Creations "Zope Dealers" http://www.zope.org