[Zope] FW: sending a encrypted login URL

Tres Seaver tseaver at palladion.com
Wed Mar 4 12:28:48 EST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joseph Thomas (s) wrote:

> I think I get what you're suggesting, but let me clarify.
> 
> I actually wanted the sensitive portions of URL to be
> encrypted..because it will be link on a page that says "login to
> zope"..but I wouldn't want the user or a snooper to be able to view
> the page source and figure out the URL pattern and the
> username/password.
> 
> SSL will ensure that the transport between the browser and the zope
> server will be encrypted using PKI, but I really want to obfuscate
> the user name and password parameters in the login URL. So that that
> if some1 where to view the source they'd see  garbled
> username/password parameters.
> 
> I suppose I could use the PKI to encrypt the username/password with
> my zope server's public key (but is there a API to do this on a J2EE
> container) and then have my zope server decrypt using its private key
> (but how would zope know that the username/password parameters are 2
> be treated as encrypted data)?

On the Zope side, write a PAS plugin which knows how to extract the
URL-based credentials, decrypting them as appropriate.  You could
prototype this as a ScriptablePlugin containing an ExternalMethod named
'extractCredentials' (might even be good enough for production, depending).


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJrrpQ+gerLs4ltQ4RAiujAKCNVtsj1Xalx5nYOd7CmQZiwgQNQQCgpxSz
pVs7DRkz8wZuSBpM4/DiYM0=
=6g7H
-----END PGP SIGNATURE-----



More information about the Zope mailing list