[Zope] Re: Zope/Plone logon security strategy etc

[michael nt milne]

ok, thanks. I didn't notice the documentation on your site.

On 2/28/06, Dieter Maurer <dieter at handshake.de> wrote:
> michael nt milne wrote at 2006-2-28 15:51 +0000:
> >I'm probably missing something really obvious but am wondering how you
> >actually implement your product on a live plone site. I've got it
> installed.
> >Do you just customise the login form that comes with the product and use
> >that on the site?
>
> I fear you do not understand the essence of HTTP authentication:
>
>   For any kind of HTTP authentication (whether "basic" or
>   "digest"), it is the browser which gathers the login
>   information. Therefore, you do not have a login form (you
>   can customize on the server). Instead, the browser uses
>   its login dialog (which you might customize, if you
>   are using e.g. Mozilla or Firefox, but is usually out of the
>   server's reach).
>
> As written in the documentation on my website,
> "DigestAuth" currently only contains a "DigestAuthCrumbler"
> which works similar to the "CookieCrumbler".
> More precisely:
>
>   It takes digest auth information, verifies it and
>   (if successful) presents it like basic auth information
>   to the remaining parts of Zope.
>
>   The "CookieCrumbler" works very similar: it takes the
>   information from a cookie and presents it like
>   basic auth information to the remaining parts of Zope.
>
>   The "DigestAuthCrumbler" is a bit less transparent.
>   It *MUST* know the user's password in order to verify
>   the validity of the presented auth information (more precisely,
>   a special hash would be sufficient, but usual user folders
>   do not support such hashes). Therefore, it can only be
>   used together with UserFolders providing access to the
>   clear text password.
>
>
>
> --
> Dieter
>


--
Michael