[Zope] Authentication with cookies instead of browser.

Thomas Engel tengel@ucdavis.edu
Thu, 24 Oct 2002 14:08:39 -0700


Help please!

I'm building a comprehensive education resource based on Zope for my 
school, and I'm trying to learn Zope internals.

We are running Apache 2.0.43 with mod-Perl 5.8.0 and Zope 2.5.1, 
currently on the same machine. Apache serves some content and uses 
virtual host and proxy for content in Zope with a VirtualHostMonster.

Authentication of protected resources works like this: when a request 
for a protected resource is received, Apache calls a Perl script to 
check a special cookie from the user's browser. The cookie has the 
user name and a hash of several values. If the cookie is absent or 
invalid, the user is directed to a secure campus server which asks 
for the user name and password, authenticates it against a Kerberos 
system, places the cookie and redirects the user back to our site. At 
that point the Perl script finds a valid cookie and allows access.

All of this works perfectly! I can get the cookie in the REQUEST 
object in Zope.

I can populate Zope with users. I would like to use Zope's built in 
role mechanism for permissions.

How can I make Zope get the user name from the cookie instead of from 
the user's browser?

I am happy to subclass existing Python code to make this happen.

I assume that Zope sends a WWW-Authenticate response header to the 
user's browser, but I have not yet been able to find the class that 
does this, and I have not found this question asked before on the 
lists.

Any knowledge or advice is greatly appreciated.

Thanks in advance,

Tom Engel