[Zope] owner/manager/root login protection
Dieter Maurer
dieter at handshake.de
Tue Sep 23 15:03:31 EDT 2003
Jake Latham wrote at 2003-9-23 09:32 -0600:
> ...
> So, we had two ideas: First, is it possible to limit access of certain
> accounts based on an IP address? We should only ever be logging in as
> admins from our internal machines, so any external non-us IP would be
> automatically rejected.
Zope allows you to restrict logins based on IP/domain information.
Note, however, that IP information can be forged without too
much difficulties (--> maskerading).
> Second, we had thought about setting up Zope & Apache to use SSL, but that
> seemed like a bit of overkill for a relatively simple desire.
>
> Should I just go the SSL route, or is there a more obvious solution we're
> overlooking to protecting our more privileged accounts?
"https" will slow your site down. If this is not a problem, go
this way.
I plan to implement a post-authentication-hook for Zope.
It will try to acquire an object "post_authentication_hook"
and call it, if successful. The object (e.g. a Python Script)
can then perform arbitrary checks, e.g. ensure that the
current request came via "https" or is not proxied via Apache
when the published object require a "Manager" role.
Up to now, it is just a plan; there is no time table yet...
Dieter
More information about the Zope
mailing list