Re: [Zope] single sign-on
On 3/31/06, Fernando Martins <[EMAIL PROTECTED]> wrote: > Interesting to know about, but it seems to be restricted to web sso, whereas > I had in mind sso including the workstation login. Ah. I dont know how (or if) you do that with CAS. > It seems to be a full > authentication mechanism on its own and it doesn't integrate with existing > authentication systems, right? (no NTLM and it uses kerberos but on it's > own) It can use NTML as well, it's just a question of how you validate the username and password. But it still means dual logins. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] single sign-on
Lennart Regebro wrote: > On 3/30/06, Fernando Martins <[EMAIL PROTECTED]> wrote: > > Yes, I understand the alternative to FastCGI, but mod_proxy > doesn't pass the required environmental variable REMOTE_USER to > zope. I was asking about single sign-on alternatives for Zope. > > Yale made a system called CAS, that workes fine for SSO. It's simple > and secure and easy to implement. > > My PAS plugin is available at http://www.zope.org/Members/regebro . I > have a CookieCrumbler type thingy somewhere too. > Interesting to know about, but it seems to be restricted to web sso, whereas I had in mind sso including the workstation login. It seems to be a full authentication mechanism on its own and it doesn't integrate with existing authentication systems, right? (no NTLM and it uses kerberos but on it's own) Thanks, Fernando ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Can't establish connection to localhost
--On 30. März 2006 21:22:15 -0800 Carl Symons <[EMAIL PROTECTED]> wrote: Been working with Zope error-free on localhost for months. I just tried to install a plone skin, which I've done successfully previously. Directions are to restart zope Attempting to do so returns message: Unable to connect firefox can't establish a connection to the server at localhost:8081 Check your Zope event.log and the console message. That's the only thing we can recommend to you if you don't provide any additional information about errors during the startup phase. -aj pgpdAQFCIqgqD.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Can't establish connection to localhost
Been working with Zope error-free on localhost for months. I just tried to install a plone skin, which I've done successfully previously. Directions are to restart zope Attempting to do so returns message: Unable to connect firefox can't establish a connection to the server at localhost:8081 Rebooted...same symptom. What should I do to get Zope running again? Carl Linux Zope 2.8 plone 2.1.2-1 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope and nagios
Doyon, Jean-Francois wrote: Actually to detect whether it is *running* fetching a page will do the trick. That's what we do here and it works fine. That will NOT detect however if Zope is running, but errors are occuring. I sthat what you really want? Why would looking up a page not do the trick? J.F. When you have zope running on top of zeo and stop zeo you still can ask for a page and it will be returned correctly. But you can not do nothing sensible on your site. we do check with nagios for a page (looking for a spcial string). We run into situations where zope (actually a plone site) does not respond to user requests. However nagios does not complain. Robert begin:vcard fn:robert rottermann n:rottermann;robert email;internet:[EMAIL PROTECTED] tel;work:031 333 10 20 tel;fax:031 333 10 23 tel;home:031 333 36 03 x-mozilla-html:FALSE version:2.1 end:vcard ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] single sign-on
On 3/30/06, Fernando Martins <[EMAIL PROTECTED]> wrote: > Yes, I understand the alternative to FastCGI, but mod_proxy doesn't pass the > required environmental variable REMOTE_USER to zope. I was asking about > single sign-on alternatives for Zope. Yale made a system called CAS, that workes fine for SSO. It's simple and secure and easy to implement. My PAS plugin is available at http://www.zope.org/Members/regebro . I have a CookieCrumbler type thingy somewhere too. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Question about Zope and security
On 3/30/06, Cyrille Bonnet <[EMAIL PROTECTED]> wrote: > Now, just to push the problem a bit further: ideally, I'd like to put > SSL just on the login form. Zope would authenticate the user in that > request and return a "session ID" that would then be passed back and > forth in each request (without SSL). I'd recommend the Yale CAS system. It does exactly this. I wrote a plugin for PAS for it, and I think I have some Cookie.Crumbler type thingy somewhere too. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Question about Zope and security
On Fri, Mar 31, 2006, Cyrille Bonnet wrote: >Thanks to all for your feedback: I understand better what is going on now. > >SSL is definitely the way to go, that would solve all my problems. > >Now, just to push the problem a bit further: ideally, I'd like to put >SSL just on the login form. Zope would authenticate the user in that >request and return a "session ID" that would then be passed back and >forth in each request (without SSL). > >That would be a balanced approach to security: I don't have to put SSL >across the entire site. The site will be vulnerable to man-in-the-middle >attacks, but only for the duration of a session. I've done this using custom skins, copying the login_form and modifying it to use https when submitting. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 There are three kinds of men. The ones that learn by reading. The few who learn by observation. The rest of them have to pee on the electric fence for themselves. -- Will Rogers ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Question about Zope and security
Thanks to all for your feedback: I understand better what is going on now. SSL is definitely the way to go, that would solve all my problems. Now, just to push the problem a bit further: ideally, I'd like to put SSL just on the login form. Zope would authenticate the user in that request and return a "session ID" that would then be passed back and forth in each request (without SSL). That would be a balanced approach to security: I don't have to put SSL across the entire site. The site will be vulnerable to man-in-the-middle attacks, but only for the duration of a session. Is it possible to do that with Zope? Or does Zope require to identify the user on each request? Thanks for the help. Cyrille bruno desthuilliers wrote: Cyrille Bonnet wrote: Hi there, I have been telling all my clients about how great Zope is for security: fine-grained permissions, security framework, roles, etc. Now, one of my clients has a security expert who took a close look at how Zope authenticates users. The results were not good. The main problem is that Zope stores the username and password in a cookie in clear text (base64 encoded). *Zope* don't do that. It's the (infamous) CookieCrumbler products that is responsible for this horror. Even though it only happens in their internal network, my client wasn't too happy, because it makes them vulnerable to a man-in-the-middle attack. I know, the odds of that happening are low, but storing the username and password in clear text is clearly not best practice. That's an understatement. So, my question is: is there a way to secure Zope authentication? yes : use https. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] single sign-on
> > Hi, > > > > I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since > the last is > > deprecated, is there any alternative? > > > > As documented: Zope as standalone server + an optional reverse proxy > (Squid/Apache). But no idea how this would solve a SSO issue. > > -aj > Yes, I understand the alternative to FastCGI, but mod_proxy doesn't pass the required environmental variable REMOTE_USER to zope. I was asking about single sign-on alternatives for Zope. Fernando ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope and nagios
On Thu March 30 2006 13:21, robert rottermann wrote: > I would like to test if zope is running using nagios. > > I would be gratefull if somebody could could point me to some info > how to best do this. > I am especially interested to learn what to test to detect a running but > not responding zope. > Just looking up a page seems not to do the trick. As far as I'm concerned, a not responding Zope and a not running Zope are the same thing. check_http with the Zope port (and other necessary parameters) works fine for me. You could write a custom check that does whatever you want (including checking the logs or zopectl), but I think that's more trouble than it's worth. -- Ron ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] zope and nagios
Actually to detect whether it is *running* fetching a page will do the trick. That's what we do here and it works fine. That will NOT detect however if Zope is running, but errors are occuring. I sthat what you really want? Why would looking up a page not do the trick? J.F. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of robert rottermann Sent: March 30, 2006 1:21 PM To: zope Subject: [Zope] zope and nagios Hi there, I would like to test if zope is running using nagios. I would be gratefull if somebody could could point me to some info how to best do this. I am especially interested to learn what to test to detect a running but not responding zope. Just looking up a page seems not to do the trick. thanks robert ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] single sign-on
--On 30. März 2006 21:16:09 +0200 Fernando Martins <[EMAIL PROTECTED]> wrote: Hi, I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is deprecated, is there any alternative? As documented: Zope as standalone server + an optional reverse proxy (Squid/Apache). But no idea how this would solve a SSO issue. -aj --- - Andreas JungZOPYX Ltd. & Co KG- - E-mail: [EMAIL PROTECTED] Web: www.zopyx.com, www.zopyx.de - --- pgpIIuTsDy5Zx.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] single sign-on
Hi, I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is deprecated, is there any alternative? TIA, Fernando Martins ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] zope and nagios
Hi there, I would like to test if zope is running using nagios. I would be gratefull if somebody could could point me to some info how to best do this. I am especially interested to learn what to test to detect a running but not responding zope. Just looking up a page seems not to do the trick. thanks robert begin:vcard fn:robert rottermann n:rottermann;robert email;internet:[EMAIL PROTECTED] tel;work:031 333 10 20 tel;fax:031 333 10 23 tel;home:031 333 36 03 x-mozilla-html:FALSE version:2.1 end:vcard ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Dependent List
--On 30. März 2006 17:54:57 +0200 [EMAIL PROTECTED] wrote: Hello, I have a problem with my archetype, I'm using dependent lists. Wrong list. There are dedicated mailing lists for Archetypes and Plone. -aj pgp1lO66B74f6.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] "Permission denied" running Zope 2.8.5 configure
Jens Vagelpohl wrote: >>> When attempting to configure Zope 2.8.5, however, I receive the >>> following error from configure: >>> >>> >>> [EMAIL PROTECTED]:www.climatelaw.org]$ >>> /usr/local/zope/software-home/zope/configure >>> --prefix=/usr/local/zope/instance-home/www.climatelaw.org/ >>> --with-python=/usr/local/zope/software-home/python/ >>> >>> Using Python interpreter at /usr/local/zope/software-home/python/ >>> >>> Configuring Zope installation >>> >>> /usr/local/zope/software-home/zope/configure: >>> /usr/local/zope/software-home/python/: permission denied > > > What is that slash doing at the end of /usr/local/zope/software-home/ > python/? That directive is supposed to point to the Python binary, not > some folder. Ah! The directive was pointing to the *directory* containing the Python binary, not to Python itself. Adding "python" to the end fixed the problem. Phew! > jens Thanks, Jens. Who knows when I would have noticed that out on my own. Glenn NB: I originally (unintentionally) replied directly to Jens. Resending this to let the list know that his suggestion resolved the problem. G. smime.p7s Description: S/MIME Cryptographic Signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Strange behavior with TAL and python: expressions
Great and mighty Zope gurus, I have a template which calls a macro. Within the template, I tal:define a variable, 'form'. Within the macro, the 'form' variable (which is an FSForm object) is defined as None unless I access it using python expressions. If I attempt to do anything with attributes of 'form', I get an AttributeError indicating that the NoneType object, form, doesn't have the attribute that I'm looking for. However, I can use 'form' any way I want inside the template that calls the macro. It seems that the macro call somehow lost part of the information associated with the 'form' variable. I worked around the problem by defining form using a python expression instead of a pure TALES expression. I was also able to work around the issue by accessing 'form' within the macro using python expressions instead of TALES. Why would this happen? Is this expected? I'm using Zope 2.7.5 and Formulator 1.9. I'm not sure what other products to list here; this seems like a ZPT-related thing. Please let me know if there is any more information I can provide. Thanks! -- Floyd May Senior Systems Analyst CTLN - CareerTech Learning Network [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Dependent List
Hello, I have a problem with my archetype, I'm using dependent lists. I've downloaded the MasterSelectWidget product, but I have a problem with it. In my archetype I have a master field and a slave one, I install the archetype, I add an object of this type to my portal, but when I load the saved object and try to edit it, I see that the slave field (a selection widget) don't have the value that I have selected. How can I solve it? Is there any alternative to MasterSelect widget? Thanks ! ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] ZopeTime in Zope 2.9.1
On 3/30/06, JoseLuis de la Rosa Triviño <[EMAIL PROTECTED]> wrote: > However, I have created the profile needed to install WhoOnline in CPS using > CMFGenericSetup, how could I share this code? That would be mostly of interest to the author of WhoOnline, I guess. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] ZopeTime in Zope 2.9.1
Excuse me, I wasn't explicit enough an even It was a problem of a code I had added. However, I have created the profile needed to install WhoOnline in CPS using CMFGenericSetup, how could I share this code? Thank you very much JoseLuis de la Rosa Triviño Becario Área de Sistemas de Información FUNDACIÓN IAVANTE [EMAIL PROTECTED] Tel. 951 015 300 Este correo electrónico y, en su caso, cualquier fichero anexo, contiene información confidencial exclusivamente dirigida a su(s) destinatario(s). Toda copia o divulgación deberá ser autorizada por IAVANTE. This e-mail and any attachments are confidential and exclusively directed to its adressee(s). Any copy or distribution will have to be authorized by IAVANTE. -Mensaje original- De: Lennart Regebro [mailto:[EMAIL PROTECTED] Enviado el: jueves, 30 de marzo de 2006 12:35 Para: JoseLuis de la Rosa Triviño CC: zope@zope.org; [EMAIL PROTECTED] Asunto: Re: [Zope] ZopeTime in Zope 2.9.1 On 3/30/06, JoseLuis de la Rosa Triviño <[EMAIL PROTECTED]> > I've been using the product WhoOnline on zope 2.8.4 with CPS 3.3.8, now I have migrated to zope 2.9.1, cmf 1.6 and CPS 3.4 and when I try to install WhoOnline (with an external method and with CMFGenericSetup) I get an error because ZopeTime is not available. What is the error message? It seems to work for me. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Question about Zope and security
+---[ bruno desthuilliers ]-- | Cyrille Bonnet wrote: | > Hi there, | > | > I have been telling all my clients about how great Zope is for security: | > fine-grained permissions, security framework, roles, etc. | > | > Now, one of my clients has a security expert who took a close look at | > how Zope authenticates users. The results were not good. | > | > The main problem is that Zope stores the username and password in a | > cookie in clear text (base64 encoded). | | *Zope* don't do that. It's the (infamous) CookieCrumbler products that | is responsible for this horror. Lots of UserFolders do this by default for compatibility reasons. CookieCrumbler is just following a long tradition. It's EXACTLY the same as what you get with Basic Auth. exUserFolder has a mode uses a random hash for cookies (I'm sure other UserFolders have this option as well). But as others have said, if you're posting to a form and not using https, what's the point. -- Andrew Milton [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Question about Zope and security
Cyrille Bonnet wrote: > Hi there, > > I have been telling all my clients about how great Zope is for security: > fine-grained permissions, security framework, roles, etc. > > Now, one of my clients has a security expert who took a close look at > how Zope authenticates users. The results were not good. > > The main problem is that Zope stores the username and password in a > cookie in clear text (base64 encoded). *Zope* don't do that. It's the (infamous) CookieCrumbler products that is responsible for this horror. > Even though it only happens in their internal network, my client wasn't > too happy, because it makes them vulnerable to a man-in-the-middle attack. > > I know, the odds of that happening are low, but storing the username and > password in clear text is clearly not best practice. That's an understatement. > So, my question is: is there a way to secure Zope authentication? yes : use https. -- bruno desthuilliers développeur [EMAIL PROTECTED] http://www.modulix.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] ZopeTime in Zope 2.9.1
On 3/30/06, JoseLuis de la Rosa Triviño <[EMAIL PROTECTED]> > I've been using the product WhoOnline on zope 2.8.4 with CPS 3.3.8, now I have migrated to zope 2.9.1, cmf 1.6 and CPS 3.4 and when I try to install WhoOnline (with an external method and with CMFGenericSetup) I get an error because ZopeTime is not available. What is the error message? It seems to work for me. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] ZopeTime in Zope 2.9.1
--On 30. März 2006 12:19:24 +0200 JoseLuis de la Rosa Triviño <[EMAIL PROTECTED]> wrote: Hello, I've been using the product WhoOnline on zope 2.8.4 with CPS 3.3.8, now I have migrated to zope 2.9.1, cmf 1.6 and CPS 3.4 and when I try to install WhoOnline (with an external method and with CMFGenericSetup) I get an error because ZopeTime is not available. "An error" means nothing. Please be specific how to reproduce the error and tell us about the error message (Python traceback). -aj pgpQkgBtVWS7B.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] ZopeTime in Zope 2.9.1
Hello, I've been using the product WhoOnline on zope 2.8.4 with CPS 3.3.8, now I have migrated to zope 2.9.1, cmf 1.6 and CPS 3.4 and when I try to install WhoOnline (with an external method and with CMFGenericSetup) I get an error because ZopeTime is not available. Does anybody knows how to make ZopeTime available in zope 2.9.1? Or is there any alternative product for zope 2.9.1? Thank you very much. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Question about Zope and security
Chris Withers schrieb: Tino Wildenhain wrote: Cyrille Bonnet wrote: Hi Terry, ... Sorry, I wasn't even aware that Zope stores the passwords in plain text. My primary concern (for the moment) is passwords in plain text in the request. No it does not. The default userfolder stores passwords hashed. What userfolder are you referring to? Both Zope's default user folder and cookie crumbler both store the password base64 encoded, not hashed, there's a big difference. Well, not that cookie crumbler stores any passwords anyway .-) The checkbox is there for a long time. I might have read about that its default now or just hallucinated ;) ++Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Question about Zope and security
Chris Withers schrieb: ... what way? http basic auth is a standard. cookie auth isn't, and it's always insecure no matter how you implement it they are both equally insecure - while you can make the cookie (as session auth) a little more secure - but after all its worth nothing as long as you dont transfer the credentials initially encrypted :-) ++Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Question about Zope and security
Tino Wildenhain wrote: Cyrille Bonnet wrote: Hi Terry, ... Sorry, I wasn't even aware that Zope stores the passwords in plain text. My primary concern (for the moment) is passwords in plain text in the request. No it does not. The default userfolder stores passwords hashed. What userfolder are you referring to? Both Zope's default user folder and cookie crumbler both store the password base64 encoded, not hashed, there's a big difference. That said, it's a config option per user folder as to whether or not password are stored encrypted in the ZODB. cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Question about Zope and security
Cyrille Bonnet wrote: I am using Plone 2.1.2, which uses CookieCrumbler. I wanted to put the problem in a Zope perspective, though: this is why I didn't mention that. Then I'd suggest going and bugging the Plohn people about this. CookeCrumbler _is_ insecure, and I've pointed this out and provided convoluted patches in the past. But even with those patches, you _still_ need to use https to get real security ;-) I had thought of SSL, but it doesn't solve the problem for WebDAV access. Huh? WebDAV over SSL will work just fine... I should also mention that the site is for the general public, with a few users logging in. So have the users who need to log in use a different subdomain, and make sure that's all SSL encrypted. Of course, I can't put the public site on SSL, Why not? If you're _so_ fussed about security, that's what you _need_ to do... It seems so much simpler to solve the problem at the root: change Zope authentication. Great, patches accepted. But please bear in mind we will rip them to shreds, especially if they use cookies or don't use SSL... I'd rather encrypt passwords with a hash and reset the password if the users have lost it. Is it possible to do that in Zope? You can do anything you want, you just have to write the code. * why is Zope authentication implemented that way? what way? http basic auth is a standard. cookie auth isn't, and it's always insecure no matter how you implement it * Is it really complex to secure the authentication process? Yes. Always. Get over it. You _will_ screw it up so stop getting you knickers in a twist... * Is there any documentation summing up Zope security (authentication process, password storage, etc.)? Probably. Why don't you have a look? Failing that, there's always the source code... Seriously, you're worrying about stuff you shouldn't. If you really care about security, unplug your server put it in a safe and leave it there. And pay someone to guard it and make sure no-one even sets eyes on it, let alone powers it up. If you're moderately concerned about security, https _all_ your website interactions. Use client-side certificates to authenticate over SSL. Rigorously train all your users about security. cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )