[Zope3-Users] Re: apache as zope3's frontend and NTLM

Philipp von Weitershausen philipp at weitershausen.de
Sun Nov 13 00:24:57 EST 2005


Simon Hang wrote:
> Thanks for the help.
> 
> I feel not comfortable to put the username in URL. User may be able to
> bypass the authentication and direct access zope with username in URL.

True, it's not the nicest solution. But you could make it safer by first
stripping the according request variable from the QUERY_STRING.
mod_rewrite is quite powerful in that respect.

> Now the only solution I found is only working in Apache2 not 1.3. I can
> use mod_header. requestheader can add http header to request before
> mod_rewrite pass it to zope. I can put REMOTE_USER in http header and
> zope will be able to pick it up. User will still be able to bypass the
> check if they can use special web browser which can add http header. But
> at least with standard IE & Firefox, this method will be safe.

Here you could strip any REMOTE_USER header or request variable from the
incoming request so that the REMOTE_USER that Zope sees is always the
one set by Apache, or none (even if the browser client tried to supply
its own one).

> But I'm still using Apache 1.3. Above solution can't apply. :(

Too bad, Apache 2.0 is quite nice.

Philipp


More information about the Zope3-users mailing list