[Zope] Digest Auth or SSL?

Paul Horbal horbal@vlsi.enel.ucalgary.ca
Thu, 20 Jun 2002 14:33:04 -0600


Hi everyone,

I'm wondering what experiences people have had trying to implement digest authentication or SSL on their Zope sites.

Here's my situation:

I have ZServer proxied by Apache.  Areas of our site are password-protected and require a valid user.  Unfortunately, this authentication is Basic and cleartext usernames/passwords are sent.  Obviously less than ideal.  At present, acceptable, since our website user database is independent from our actual user accounts for the lab in which we work.  Some day, I would like to get Zope to use LDAP for user authentication - but there is no way that could happen unless authentication for the website was seriously secure.  There is some third-party IP in our lab and NDAs aside, they generally don't like to find gaping security holes in our system.

I understand Digest has some definite shortcomings and to my knowledge, isn't even implemented in Zope.  But with HTTPS, I have another problem.  Specifically, not all of the site is password-protected.  I don't want every visitor using HTTPS to browse the site.  I only want secure authentication for password-protected areas of the site.  So when a user goes to www.mysite.com/private, he will be authenticated securely.

Any suggestions or pointers would be much appreciated...

thanks
Paul.

-- 
horbal@atips.ca