[Zope] apache authentication with proxy -- remote user mode

[zope-mailinglist]

Dieter Maurer wrote:
> zope-mailinglist writes:
>  > the apache server authenticates succesfully
>  > and in the z2.log file i see that the remote_user variable is passed 
>  > over, but zope always wants to switch back to normal user authentication 
>  > and wants credentials. (btw. the user is existent in the root user folder)
>  > 
>  > is it possible, that this is a proxy problem, do i need to pass 
>  > additional information?
> I think it is possible.
> 
> You need to put Zope in "_remote_user_mode".
> Look at "AccessControl/User" for how to do that...
> 
> 
> Dieter

thanks for your reply

sorry, forgot to state that zope already runs in _remote_user_mode
the problem seems to be that zope looks in request.environ['REMOTE_USER']
which is not present in the zope process, only in the apache process -- 
seems that remote_user_mode is only for cgi mode, where apache passes 
its environment variables to the cgi.

i found out that i need request._auth
this is the base64 encoded user:pw string
i tried it out by changing the source of User.py like this:

replace:
name = request.environ.get('REMOTE_USER', None)
with:
name = self.identify(request._auth)[0]

... and it works, but that can only be a temporary solution.
the problem is that if i do this, users can easily be faked by just 
using another apache proxy which authenticates users with the same name.
therefore a domain restriction needs to be applied.
maybe this is a new feature for zope such as "proxy_authentication_mode".

i think i have to subclass UserFolder and User and then provide the 
apropriate validate method

is there another solution?

tia, bernd