[Zope] Re: major problems placing authentication on an extranet site-security flaw?

michael nt milne michael.milne at gmail.com
Sat Feb 11 11:09:49 EST 2006


Hi Phil

I've implemented what's outlined in the make private site documentation and
it works fine on Plone 2.1.1. No content is available apart from the
site-map page (doesn't list content) and the contact form but I can figure
that out separately.

Yes I think I like the HTML login page way to authenticate. It feels more
usable. And I don't think I'll use an Apache login box at all. Most users
will find it hard remembering one password and with cookie authentication
over SSL you can go straight into the site. Brilliant.

I'm revisting some of the points made in this thread though about security.
It does seem that Zope and Plone as you say, are at odds on this.

Thanks alot for your help and words of advice. I still seem to have an issue
where editing a page in IE over SSL produces a 'can't find server' but it's
a browser issue as this works fine on the latest Firefox.

Michael


On 2/11/06, Philip Kilner <phil at xfr.co.uk> wrote:
>
> Hi Michael,
>
> michael nt milne wrote:
> > Yes I found that as well but picked it up from the Google cache.
> > Strange that it is available there as it's password protected.
> > Possibly it was public before?
> >
>
> Yes, it was public before.
>
> Have you tried this, and does it solve your problems?
>
> JCC is spot on when he points to workflow as being the basis of security
> in Plone - it's also worth saying that the Zope system and the Plone
> system are pretty much at odds with one another. You are more likely to
> make mistakes at the Zope level than to do what you intend.
>
> (If you try the "howto", don't overlook that last step - hitting the
> "update security settings" button. Managed to overlook this myself
> recently (despite it being the umpteenth time I've followed this howto),
> and spent hours thinking that something more exotic was going on!)
>
> Let us know how you get on...
>
>
> --
>
> Regards,
>
> PhilK
>
> Email: phil at xfr.co.uk
> PGP Public key: http://www.xfr.co.uk
> Voicemail & Facsimile: 07092 070518
>
> "You'll find that one part's sweet and one part's tart:
> say where the sweetness and the sourness start."
> - Tony Harrison
>



--
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20060211/f7270c81/attachment.htm


More information about the Zope mailing list