[Zope] Question about Zope and security

Dieter Maurer dieter at handshake.de
Sat Apr 1 04:15:05 EST 2006


Cyrille Bonnet wrote at 2006-3-30 14:43 +1200:
> ...
>I did find Dieter Mauer's DigestAuth product: 
>http://www.dieter.handshake.de/pyprojects/zope/#DigestAuth
>
>It looks good. I have used other produts from Dieter before and was very 
>pleased with the quality of his code.
>
>Now, have other people used it? Does it work with WebDAV?

It should work with WebDAV, provided the WebDAV client supports
HTTP Digest Authentication.

>How secure is 
>it (I am no security/encryption expert)?

The corresponding RFC (RFC 2617) explains in detail how
secure the basic mechanism is.

My "DigestAuth DigestAuthCrumber" adds a bit of insecurity:

  *  the passwords must be stored (inside Zope (!) not in the request)
     in plain text.

     This could be improved a bit, either by

       - using two way encryption -- but Zope must be able to get
         the plain text password back.

       - fixing the domain and using storing the "MD5" hash
         of username, password and domain instead of the
	 plain text password.

	 Other authentication schemes would then need to
	 be changed -- to use the same "MD5" hash.

>Also, if it is good, why is not part of default Zope??


There are two sides of an answer: the Zope developpers/maintainers side
and my side.

Adding even a good package to the core means a (rather) long term
commitment to support and maintain this package. When you
follow "comp.lang.python" (or the corresponding mailing list),
you see how reluctant the Python developpers are to include
additional packages into the Python core -- to avoid these
responsibilities. The Zope maintainers are even stricter: they
look what they can get rid of rather than what they can include....

On my side: developping for the Zope core imposes much more overhead
than developping independently: I would have to make a proposal,
follow (partially stupid) style guides, add more tests (than
necessary to convince me that the quality is sufficient)...
Thus, I am reluctant to develop for the Zope core.

-- 
Dieter


More information about the Zope mailing list