[Zope] Digest Auth or SSL?
Jens Vagelpohl
jens@zope.com
Thu, 20 Jun 2002 20:59:38 -0400
since you already use apache a set of clever rewrite rules in your apache
configuration would be able to pick up on and redirect accesses to the
retsricted areas to ensure they go over https.
jens
On Thursday, June 20, 2002, at 04:33 , Paul Horbal wrote:
>
> Hi everyone,
>
> I'm wondering what experiences people have had trying to implement digest
> authentication or SSL on their Zope sites.
>
> Here's my situation:
>
> I have ZServer proxied by Apache. Areas of our site are
> password-protected and require a valid user. Unfortunately, this
> authentication is Basic and cleartext usernames/passwords are sent.
> Obviously less than ideal. At present, acceptable, since our website user
> database is independent from our actual user accounts for the lab in which
> we work. Some day, I would like to get Zope to use LDAP for user
> authentication - but there is no way that could happen unless
> authentication for the website was seriously secure. There is some
> third-party IP in our lab and NDAs aside, they generally don't like to
> find gaping security holes in our system.
>
> I understand Digest has some definite shortcomings and to my knowledge,
> isn't even implemented in Zope. But with HTTPS, I have another problem.
> Specifically, not all of the site is password-protected. I don't want
> every visitor using HTTPS to browse the site. I only want secure
> authentication for password-protected areas of the site. So when a user
> goes to www.mysite.com/private, he will be authenticated securely.
>
> Any suggestions or pointers would be much appreciated...
>
> thanks
> Paul.
>
> --
> horbal@atips.ca
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )