[Zope] Security doubt

Vladimir Petrovic vladap@criticalpublics.com
Sat, 7 Jun 2003 18:58:24 +0300


> > There is also a possibility of filtering authentication field when HTTP
> > request passes through reverse proxy.
> >
> > I think that Apache doesn't suport this, but using rewrite rule it is
> > possible to return unauthorized or forbidden if request contains
> > authentication header. This shouldn't be a problem (if this level of
> > security is really required) since browsers shouldn't send this header
> > anyway if they haven't received unauthorized response and user has
> > entered username/password.
>
> Uhm, but at that moment it's too late, because the username and the
> password have already traveled the wire in clear test, isn't it?
>
> cheers,
> oliver
>

True, however a combination with the previous method can lead to a rather 
secure setup. Apache can be configured to have two virtual hosts: 
www.site.com and https://manage.site.com. Public one disables access to 
/manage and /manage_main methods and filters/blocks authentication headers.
So: 

a) Ordinary management users will never send password in clear text since 
access to /manage and /manage_main is blocked so they are not going to be 
asked to do so. (they are not going to use POST method or something similar 
that we expect of the "evil" user).

b) Even if "evil" user manages to obtain the username/password he wouldn't be 
able to do anything through the public site.

And manage site can implement its own restrictions (on source IP or 
certificate) in the apache config. 

Vladimir