[Zope] Apache ProxyPass to Zope
Cliff Ford
Cliff.Ford at ed.ac.uk
Fri Oct 29 10:00:47 EDT 2004
I was shooting from the hip last night, having just come in from a 'good
night out'. I don't know if this would work, head being still a bit
fuzzy, but here is how I might approach the problem:
Users logged into Zope have a cookie called __aca (using exUserFolder
with secure cookies at least) so you might test for its existence to see
if the user is logged in (to avoid authentication for every page and
every graphic). If not, just call whatever function the Zope login page
calls, passing it the form variables __ac_name and __ac_password. If
that works then just call the original page with the returned __aca
cookie. With exUserFolder you can call any external authentication
method - just pass it the Username and Password and it should return
true or false. You should be able to call the Perl script mentioned.
I think Zope basic authentication uses something other than __aca so you
will need to figure out what to test for. Oh - and set the security
permissions in Zope so that authentication is required in case you get
it wrong and leave security holes.
Cliff
Tiller, Michael (M.M.) wrote:
> Russell,
>
> I sympathize. I am in a similar position (corporate intranet uses a
> proxy that authenticates before proxying). My solution so far has been
> to use Zope-2.6.2 in PCGI mode. This has left quite a bit to be desired
> (slow, seem to be some buffering issues that prevent download of large
> content). I've brought it up on on this list before but everybody says
> the same thing that they are saying to you, i.e. "that's the wrong way
> to do it". Unfortunately, for me it is the only way I'm allowed to do
> it. I was quite optimistic that Plone might catch on here, but I can't
> even get my site to work 100% so people are quite hesitant to use it.
> Because I'm using PCGI I'm stuck with Zope-2.6.2 so not only does the
> site not work 100%, I can't even run new versions of anything.
>
> You might look at some of the customizable authentication products.
> I've looked at some of them and while several claim great flexibility
> through custom plug-ins, I couldn't really understand how to accomplish
> what I needed to do.
>
> If you find a solution, let me know.
>
> --
> Mike
>
>
>>-----Original Message-----
>>From: zope-bounces at zope.org [mailto:zope-bounces at zope.org] On Behalf
>
> Of
>
>>Russell Seymour
>>Sent: Friday, October 29, 2004 6:17 AM
>>To: Cliff.Ford at ed.ac.uk
>>Cc: zope at zope.org
>>Subject: Re: [Zope] Apache ProxyPass to Zope
>>
>>Thanks for the suggestions Cliff, the thing is that I need Apache to
>>take care of the authentication.
>>
>>This is because I am setting up a Zope application within an existing
>>Virtual Host which already has the authentication setup on it. This
>
> is
>
>>done using a Perl script which communicates with a Windows 2003 AD. I
>>want to keep it this way so that it is easy to understand where the
>>authntication is taking place and is only in one place.
>>
>>Is it not possible to do what I want to do at all?
>>
>>Thanks, Russell
>>
>>Cliff Ford wrote:
>>
>>
>>>I guess I would put it a bit stronger than Tino: don't waste your
>
> time
>
>>>trying to authenticate with Apache. Just past the request through
>>>Apache to Zope and do the authentication there. In my site, one of
>
> the
>
>>>things that Apache does is switch to secure mode (https) for login.
>
> It
>
>>>is Zope that needs to authenticate by changing its
>
> AUTHENTICATED_USER
>
>>>from Anonymous to something else.
>>>
>>>Cliff
>>>
>>>Russell Seymour wrote:
>>>
>>>
>>>>Good evening list,
>>>>
>>>>I have been trying to get the REMOTE_USER variable to be seen by
>>>>Zope. I have almost got there by using various articles on the
>>>>Internet, but I need a little bit of help to get the last bit
>
> working.
>
>>>>I have got Apache performing the authentication and this works well
>>>>as I get the Zope page when I enter a valid username and password.
>
> I
>
>>>>have noticed that the Z2 log file for my Zope instances contains
>
> the
>
>>>>username that I have used to access the site, but I cannot get Zope
>>>>itself to see the username - this is the most confusing bit for me
>
> as
>
>>>>it surely means that the username is being passed to Zope.
>>>>
>>>>The following is a snippet from my Apache:
>>>>
>>>><Location /zope>
>>>> AuthName "Zope Access"
>>>> AuthType Basic
>>>>
>>>> <AUTHENTICATION ROUTINES>
>>>> require valid-user
>>>>
>>>> ProxyPass http://x.x.x.x:8080/zope
>>>>
>>>></Location>
>>>>
>>>>ProxyPassReverse /zope http://x.x.x.x:8080/zope
>>>>
>>>>This all works brilliantly apart from the fact that I cannot get
>
> the
>
>>>>username in Zope. I need this do I can do some custom
>
> authorisation
>
>>>>to a database that my Zope application accesses.
>>>>
>>>>I have tried many different variations using RewriteRule and trying
>>>>to set the environment variables but to no avail.
>>>>
>>>>Thanks to anyone that can give me some pointers.
>>>>
>>>>Russell
>>>>_______________________________________________
>>>>Zope maillist - Zope at zope.org
>>>>http://mail.zope.org/mailman/listinfo/zope
>>>>** No cross posts or HTML encoding! **
>>>>(Related lists -
>
> http://mail.zope.org/mailman/listinfo/zope-announce
>
>>>>http://mail.zope.org/mailman/listinfo/zope-dev )
>>>
>>_______________________________________________
>>Zope maillist - Zope at zope.org
>>http://mail.zope.org/mailman/listinfo/zope
>>** No cross posts or HTML encoding! **
>>(Related lists -
>> http://mail.zope.org/mailman/listinfo/zope-announce
>> http://mail.zope.org/mailman/listinfo/zope-dev )
>
>
More information about the Zope
mailing list