[Zope3-Users] Re: apache as zope3's frontend and NTLM

Simon Hang hangzhiyun at gmail.com
Sat Nov 12 18:48:40 EST 2005


Thanks for the help.

I feel not comfortable to put the username in URL. User may be able to
bypass the authentication and direct access zope with username in URL.

And that's true, Apache can pass environment variable via mod_rewrite.
What's a pity.

Now the only solution I found is only working in Apache2 not 1.3. I can use
mod_header. requestheader can add http header to request before mod_rewrite
pass it to zope. I can put REMOTE_USER in http header and zope will be able
to pick it up. User will still be able to bypass the check if they can use
special web browser which can add http header. But at least with standard IE
& Firefox, this method will be safe.

But I'm still using Apache 1.3. Above solution can't apply. :(

I'm giving up. Maybe just use some browser script to submit current username
to CredentialsPlugin.
This will be easy, just write my own version of
loginform.pt<http://loginform.pt>,
and that will work. But it's ugly.

Thanks,
Simon

On 11/13/05, Philipp von Weitershausen <philipp at weitershausen.de> wrote:
>
> Florent Guillaume wrote:
> >> Well, Zope 3 doesn't care that Apache has authenticated your user. It
> >> doesn't see that. If you want the Zope 3 security system to interact
> >> with Apache's, here's a suggestion (not sure if it'll actually work):
> >>
> >> - Have Apache forward the REMOTE_USER CGI env variable, e.g. by using
> >> the "E" flag at the end of rewrite rule:
> >>
> >> [P,L,E=REMOTE_USER:%{REMOTE_USER}]
> >
> >
> > Will that really work? env variables are only useful in CGI mode, but
> > proxying doesn't involve CGI. Rather I'd advise using additional
> > parameters to the URL, like we do here for Zope 2 for instance:
> >
> > http://svn.nuxeo.org/trac/pub/file/CMFNtlmSso/trunk/doc/vhost_sso.conf
>
> Ah, yes. I thought of this initially but found the env way to be
> cleaner, simply assuming that mod_rewrite would pass the current env
> along on the proxy request. It seems it doesn't.
>
> Good example config, by the way.
>
> >> - Have a custom ICredentialsPlugin that's simply looks at this env
> >> variable in the request for the log-in credentials. To challenge the
> >> user for authentication, it would simply use the same authentication
> >> realm as set in the apache.conf, so that it gets picked up by Apache
> >> when the user provides the credentials.
> >
> >
> > And this plugin would have to get the credentials from the URL instead
> > of the env variable. I wish apache had a proper way to add request
> > headers during proxying...
>
> Yup and yup.
>
> Philipp
> _______________________________________________
> Zope3-users mailing list
> Zope3-users at zope.org
> http://mail.zope.org/mailman/listinfo/zope3-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope3-users/attachments/20051113/593d9355/attachment.htm


More information about the Zope3-users mailing list