[Zope] Zope security management

Dario Lopez-Kästen dario@ita.chalmers.se
Fri, 23 Mar 2001 09:59:56 +0100


[Sorry - may mailer cheated on my. Once more ]


This is not in Zope yet, I am working on making it so

Here's how I do it in PLSQL:

Two steps:

1) the form action element calls the login method using https://

<form method=3D"post" action=3D"https://...../mts2.login">

This is not necessary however, you could still use

<form method=3D"post" action=3D"mts2.login">

because

2)

The login method checks to see if it is called from a valid port. This =
is the first statement in the method (or procedure as it is called in =
plsql-ish):

    begin
        -- check if we are secure
        if not wutl.is_ssl then raise ssl_not_used; end if;

Here is the is_ssl procedure:

function is_ssl return boolean is
    current_port varchar2(5);
begin
    -- is_ssl returns true if the port number of the call is from valid =
ports
    -- SSL uses 443 as standard
    -- use cgi environment variable: SERVER_PORT =3D 443
    current_port :=3D owa_util.get_cgi_env('SERVER_PORT');
    if NVL(to_number(current_port), 0) in (443) then
        return true;
    end if;
    return false; -- if null or not eq SSL_PORT
end;

Now in Zope we have access to more info than I have with the PLSQL =
WebToolikit. Besides using the Server Port, I could also look att the =
URL, the Server URL and some more elements in the REQUEST object, and =
whatch for URL:s that begin with "https:".

What I am not sure about is how this would work with Apache running as a =
Proxy.

Anyway; this works for me in the PLSQL things I run, and makes sure that =
the requests I accpet in my programs are used only with SSL in known =
ports. This of course assumes knowledge that I actually run SSL on the =
specified ports.

/dario


----- Original Message -----=20
From: "Bill Welch" <bill@carbonecho.com>
To: <zope@zope.org>
Sent: Thursday, March 22, 2001 8:16 PM
Subject: Re: [Zope] Zope security management


> Please share with us how you make sure that the login form can only be
> used over SSL.
>=20
> Bill.
>=20