[Zope] single sign-on
Luca Olivetti
luca at wetron.es
Fri Apr 7 09:18:39 EDT 2006
En/na Luca Olivetti ha escrit:
> At this point zope should see an additional header REMOTE_USER (with the
> consequent security risk: you should make sure that nobody can directly
> access zope otherwise they can fake this header and pose as any user)
> which is available in request.environ as HTTP_REMOTE_USER.
>
> Then it's just a matter of using PAS with the SharkbyteSSOPlugin
> (http://dev.plone.org/collective/browser/SharkbyteSSOPlugin) configured
> to use HTTP_REMOTE_USER.
>
> I'd suggest to change
>
> userid = request.get(self.uservar)
>
> to
>
> userid = request.environ.get(self.uservar)
>
> for a little more security - not that this setup seems really secure to
> me anyway, but I'm not a security expert ;-)
Ok, useless suggestion, since Zope request does "the right thing":
1)it will search in the environment before searching in the form and
2)it'll strip any form variable that starts with 'HTTP_'
Bye
--
Luca Olivetti
Wetron Automatización S.A. http://www.wetron.es/
Tel. +34 93 5883004 Fax +34 93 5883007
More information about the Zope
mailing list