[Zope3-Users] Re: Remote authentication

Maciej Wisniowski maciej.wisniowski at coig.katowice.pl
Sun May 13 06:15:46 EDT 2007


> Hi Maciej. Thank you for your reply and outlining the authentication
> process. This does make things clearer. There are a variety of backends,
> I read that something as simple as reading fom a file is possible. 
> ldappas and dl.ldapauth provide some good hints for plugins and user
> management from infrae's documentlibrary. I became aware of these
> packages working on documentlibrary recently.
I don't know documentlibrary but with cas you'll get only the user
name and with this it is necessary to
get user roles/permissions from specific backend.


> I want to be clear that https enters into the picture as soon as
> authentication is required or someone were to click on a login link. I
> am seeing links such as this in the docs I have been reading:
> 
> https://secure.its.yale.edu/cas/login?service=http://my/url
> 
> Reading the plone code, I noticed a replacement for login portlet (to
> replace it with a link to CAS server) so I am assuming at this point
> folks would be coming to portal unauthenticated and no https until you
> were to login or attempt to gain access to an area where you need
> authorization (then you are redirected - and now https on CAS server)
> Have I got this right?
CAS authentication will work with http, but single sing on will not.
I mean if you have CAS server like:

https://secure.its.yale.edu/cas

and applications:
http://my/url
http://my/url2

then you'll have to login while trying to acces http://my/url2
even thought you already are logged in to http://my/url. With
https you'll be automatically logged into url2 via SSO.

There were discussions about turning off https on CAS users
list but I don't know if it is possible in recent CAS versions.

Also you may send 'service url' as https one. This way users
accesses http site but after successfull login at CAS user is
redirected to https one.


> I thought sessions should be used but maybe there are some other
> opinions. I realize there were some issues with sessions some years back
> with z2. I have not heard anything negative about sessions in z3.
Hm... I'm not sure about session implementation in zope3 but
I had some issues with sessions with zope 2 (conflicts).
I think that accessing session with every request is not too good as
this causes session buckets to be moved in oobtree because of
expiration, starts garbage collections etc. But I'm not sure how
this exactly goes.


> I was also thinking to some extent about the url redirection etc for
> this CAS activity and it made me wonder whether some of this should not
> be occurring as part of a WSGI middleware (but this is just a random
> thought at the moment).
I have no experience with that but like to get to know more :)

> I am interested in setting up a project for this shortly. I'll likely
> get this going in the next day or so and will be grateful for your help
> since you have experience with this. I'll provide details for the
> project as soon as I have them but will likely put it in zif collective
> on sourceforge in svn.
OK, but possibly I will have no internet access for few days so I may
answer with delays.


> BTW, I recently noticed that the authentication server need not be java
> so long as it complies with the CAS protocol. In fact I was reading code
> for rubyCAS server earlier today. It makes me wonder why the
> authentication server itself could not be written in python and served
> using zope or twisted. Gives me something to think about for later if
> things work. Many thanks,
Would be great to have this server in python :)

-- 
Maciej Wisniowski


More information about the Zope3-users mailing list