[Zope] ZMI access using URL other than manage
David Pratt
fairwinds at eastlink.ca
Fri Mar 25 08:19:53 EST 2005
Yes, this is a good approach, however am concerned about management
from locations that may not have a static IP (if IP changes, then you
are hooped). I am also looking for a way that this might not be tied
to where someone might be located. I don't know if there is a solution
that could involve a rewrite rule to manage and having a specific URL
(other than manage) for logging in that is only known to the manager.
I guess the other thing I ought to be considering is another rule to
prevent username passwords from being passed in URL as well. I am sure
someone has probably done this as well.
Regards,
David
On Friday, March 25, 2005, at 08:48 AM, Lennart Regebro wrote:
> On Fri, 25 Mar 2005 08:30:05 -0400, David Pratt
> <fairwinds at eastlink.ca> wrote:
>> Hi. I am working on a financial product and it appears to me that the
>> /manage login for Zope could be a potential problem if you are running
>> zope since your server is easily guessed and one can go to this url
>> and
>> try passwords. Can someone suggest an alternative to this or some
>> modification to Zope that might make this less obvious. I best I can
>> think of would be to do a rewrite on the /manage url but I still need
>> manager access to zmi through the web. I plan on forcing ssl through
>> apache when making a connection on whatever URL is used to login. Any
>> ideas?
>
> You can set up apache so it only allows access to "manage*" from
> certain adresses, like your internal net and stuff. I don't have the
> examples at close hand,sorry.
> --
> Lennart Regebro, Nuxeo http://www.nuxeo.com/
> CPS Content Management http://www.cps-project.org/
>
More information about the Zope
mailing list