[Zope3-Users] Re: NTLM credential plugin

Simon Hang hangzhiyun at gmail.com
Thu Sep 14 01:57:39 EDT 2006


Hi Gary,

You are absolutely right. I didn't know zope wan't maintan the connections.
If this is the case, I can't implement something inside zope3 to support
NTLM authentication. Maybe I should stick with apache to do the hard job for
zope.

Thanks!
Simon


On 9/13/06, Gary Poster <gary at zope.com> wrote:
>
>
> On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:
>
> > Simon Hang wrote:
> >> Hi,
> >>  I'm thinging to write a NTLM credential plugin for zope3. But as
> >> I know, ntlm use 4-way handshake procedure, that means it needs
> >> two round-trips between server(zope3) and client(browser).
> >>  When I look in the credential plugins, it has challenge mothed.
> >> But seems it is only design for 1 round-trip protocol. It can
> >> issue one challenge, and return to parent script.
> >
> > I don't see how the PAU only allows one "round-trip".
>
> AIUI (I just looked up NTLM last night out of curiosity: see http://
> www.innovation.ch/personal/ronald/ntlm.html), the problem is that the
> 4 way handshake has to happen *within a single connection*.
> Apparently MS abuses HTTP to perform this.  Implementing it in
> pluggable auth made me scratch my head a bit, so I didn't reply.  You
> would need to slurp the request, then push back to the response, then
> slurp the same request again, then push back to the response, then
> slurp one more time, and finally reply with the real request.
> Describing the problem to Benji, he mentioned WSGI--that does seem
> like the only way I can imagine this working, and that would be
> tricky enough, especially if you needed to reach into Zope for the
> managed credentials.  Once the WSGI plugin did its magic, it would
> need to put something in the WSGI request that a pluggable auth
> plugin was willing to accept as authentication.
>
> On the bright side, if you did this with WSGI you might be able to
> offer this as a generic Python WSGI NTLM tool that required only
> minimal integration with the back end app server.
>
> I'm glad I'm not tasked with this. :-D  It sounds interesting,
> though.  Also, maybe I misunderstand: read the link if you want to
> come up with your own interpretation.
>
> Gary
> _______________________________________________
> Zope3-users mailing list
> Zope3-users at zope.org
> http://mail.zope.org/mailman/listinfo/zope3-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope3-users/attachments/20060914/80802946/attachment.htm


More information about the Zope3-users mailing list