[Zope] single sign-on

Luca Olivetti luca at wetron.es
Fri Apr 7 09:18:39 EDT 2006


En/na Luca Olivetti ha escrit:

> At this point zope should see an additional header REMOTE_USER (with the 
> consequent security risk: you should make sure that nobody can directly 
> access zope otherwise they can fake this header and pose as any user) 
> which is available in request.environ as HTTP_REMOTE_USER.
> 
> Then it's just a matter of using PAS with the SharkbyteSSOPlugin 
> (http://dev.plone.org/collective/browser/SharkbyteSSOPlugin) configured 
> to use HTTP_REMOTE_USER.
> 
> I'd suggest to change
> 
>    userid = request.get(self.uservar)
> 
> to
> 
>    userid = request.environ.get(self.uservar)
> 
> for a little more security - not that this setup seems really secure to 
> me anyway, but I'm not a security expert ;-)

Ok, useless suggestion, since Zope request does "the right thing":
1)it will search in the environment before searching in the form and
2)it'll strip any form variable that starts with 'HTTP_'

Bye

-- 
Luca Olivetti
Wetron Automatización S.A. http://www.wetron.es/
Tel. +34 93 5883004      Fax +34 93 5883007


More information about the Zope mailing list