[Zope] Users question

Tiller, Michael (M.M.) mtiller@ford.com
Thu, 5 Jun 2003 15:21:23 -0400 

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C32B97.A6D67A24
Content-Type: text/plain;
	charset="iso-8859-1"

I'm hoping to setup a Zope (Plone) site on our corporate intranet.  We have an existing system by which we validate users based on a corporate user database.  The way things usually work is that the web servers themselves make sure that users are validated before they can access content.  In summary, the web servers act as a gate keeper.
 
There are two issues here.  The first is authentication.  I'm not that concerned about the authentication at the moment. I'm going to assume, for the moment, that Zope will operate behind one of these web servers. The other issue is handling the users once they are authenticated.  I'd like to know if something like the following scenario is possible:
 
1) The web server gets a request for something on my site.
2) The web server first requests authentication (the Zope site hasn't even been accessed at this point).
3) Authentication is successful and the request is passed on to my Zope site (e.g. as a CGI request)
 
At this point, Zope can find out who the user is (i.e. their identification/username) since it is encoded in a cookie (I guess).  Is it possible to setup a user policy as follows:
 
Any one who has successfully passed the authentication stage is treated as an anonymous user
 
...unless...
 
Their username (as conveyed by the web server authentication process) matches a valid user on the Zope system in which case Zope treats them as that user.
 
The key elements to making this seamless are:
 
1) Once authenticated, the user is not prompted (by the Zope site) for their username or password.
2) If a user wants to "join" the Zope site, they shouldn't have to supply a password for authentication.  It should be sufficient that they have already been authenticated.  Just asking to join should make them a Zope user.
 
Now, I'm wondering what are the essential elements of implementing such a scheme?
 
I'm relatively new to Zope so please speak slowly and feel free to include pedantic details. :-)
 
Thanks.
 
--
Mike
 

------_=_NextPart_001_01C32B97.A6D67A24
Content-Type: text/html;
	charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 5.50.4912.300" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>I'm hoping to setup a Zope 
(Plone) site on our corporate intranet.&nbsp; We have an existing&nbsp;system by 
which we validate users based on a corporate user database.&nbsp; The way things 
usually work is that the web servers themselves make sure that users are 
validated before they can access content.&nbsp; In summary, the web servers act 
as a gate keeper.</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>There are two issues 
here.&nbsp; The first is authentication.&nbsp; I'm not that concerned about the 
authentication at the moment.&nbsp;I'm going to assume, for the 
moment,&nbsp;that Zope will operate behind one of these web servers.&nbsp;The 
other issue is handling the users once they are authenticated.&nbsp; I'd like to 
know if something like the following scenario is possible:</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>1) The web server gets a 
request for something on my site.</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>2) The web server first 
requests authentication (the Zope site hasn't even been accessed at this 
point).</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>3) Authentication is 
successful and the request is passed on to my Zope site (e.g. as a CGI 
request)</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>At this point, Zope can 
find out who the user is (i.e. their identification/username) since it is 
encoded in a cookie (I guess).&nbsp; Is it possible to setup a user policy as 
follows:</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>Any one who has 
successfully passed the authentication stage&nbsp;is treated as an anonymous 
user</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=722370919-05062003><FONT 
face=Arial>...unless...</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>Their username (as conveyed 
by the web server authentication process) matches a valid user on the Zope 
system in which case Zope treats them as that user.</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>The key elements to making 
this seamless are:</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>1)&nbsp;Once authenticated, 
the user is not prompted (by the Zope site) for their username or 
password.</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>2) If a user wants to 
"join" the Zope site, they shouldn't have to supply a password for 
authentication.&nbsp; It should be sufficient that they have already been 
authenticated.&nbsp; Just asking to join should make them a Zope 
user.</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>Now, I'm wondering what are 
the essential elements of implementing such a scheme?</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>I'm relatively new to Zope 
so please speak slowly and feel free to include pedantic details. 
:-)</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>Thanks.</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>--</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT face=Arial>Mike</FONT></SPAN></DIV>
<DIV><SPAN class=722370919-05062003><FONT 
face=Arial></FONT></SPAN>&nbsp;</DIV></BODY></HTML>

------_=_NextPart_001_01C32B97.A6D67A24--