[Zope] Re: Basic Authentication SSL Redirector

Josef Meile jmeile at hotmail.com
Fri Jun 23 08:13:21 EDT 2006


>> After having started the thread about securing CookieCrumbler[1], I 
>> figured
>> out that it was better to secure Basic Authentication instead. So, I just
> 
> Which is actually identically :-) Its just a different HTTP-Header
> involved :-)
Yes, but you won't send your credentials in plane text as you do with 
CookieCrumble, will you?

>> created a new Product, called JMSSLBasicAuth[2], which is based on the
>> CookieCrumbler Transversal Hook. Instead of Cookie Authentication, I will
>> redirect insecure Basic Authentication requests to ssl.
> 
> You remember to stay in ssl once you switched?
Let's say I remember that. Let's also say that the user turns manually 
back to http, then an Unauthorized Exception will be raised by zope, so, 
he will be redirect again to ssl, where an HTTP-Header where already set.

I checked it with the "Live HTTP Headers" of Firefox, and here the user 
won't send his credentials while switching to http, what you will see is 
this:

----------------------------------------------------------
http://some_url/folder1

GET /folder1 HTTP/1.1
Host: some_ip
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) 
Gecko/20060508 Firefox/1.5.0.4
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

HTTP/1.x 302 Moved Temporarily
Date: Fri, 23 Jun 2006 12:02:34 GMT
Server: Zope/(Zope 2.7.8-final, python 2.3.5, linux2) ZServer/1.1
Bobo-Exception-Line: 313
Content-Length: 2686
Bobo-Exception-Value: See the server error log for details
Bobo-Exception-File: Expressions.py
Bobo-Exception-Type: Unauthorized
X-Zopeuser: Anonymous
Location: https://some_url/folder1/index_html
Content-Type: text/html
WWW-Authenticate: basic realm="Zope"
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
----------------------------------------------------------
https://some_url/folder1/index_html

GET /folder1/index_html HTTP/1.1
Host: some_ip
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) 
Gecko/20060508 Firefox/1.5.0.4
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic YWRtaW46Zm9vcGFzcw==

HTTP/1.x 200 OK
Date: Fri, 23 Jun 2006 12:02:34 GMT
Server: Zope/(Zope 2.7.8-final, python 2.3.5, linux2) ZServer/1.1
Content-Length: 156
Content-Type: text/html
X-Zopeuser: admin
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
----------------------------------------------------------

On the contratry, with CookieCrumbler you will the your credentials 
encoded in base64, which can be easily decoded.

> 
>> I have tested it and it seems to work. I'm planning to use it in 
>> production
>> websites, so, I would really appreciate if you could give me some
>> constructive feedback about the product (See reference [2]), ie: what 
>> can I
>> improve, change, or add?
> 
> I'd think you could add the redirection support (which can indeed be 
> usefull
> and simplify configuration) in a way not disabling cookie-auth the same 
> time.
> 
> (For example you cannot really log out with Basic Auth)
I think you can, or how is it done in the ZMI? If I'm not wrong, there 
is something like a zmi_logout script, which raises an Unauthorized 
Exception, then you will see the popup window asking your credentials.

Regards
Josef



More information about the Zope mailing list