Re: [Zope] Is it possible to extend Zopes WebDAV authentication?
mark hellewell wrote at 2005-5-7 20:22 +0100: On 5/7/05, Chris McDonough [EMAIL PROTECTED] wrote: Web Folders pass cookies around too, FWIW, so it's probably not strictly necessary to use http basic auth. But without using http basic auth, there is no way to log in unless you have them go to the web interface first, then launch a web folder, so maybe impractical. That's exactly what's happening at the moment; the WebDAV access is linked to via the web interface after they log in (it's only one small part of a larger system). They log in via the web, gaining a cookie which is passed to the Explorer 'web folders' thing, so when they click on the link to the WebDAV part of the site the cookie is still valid and they don't have to log in to WebDAV. * I think this can only work when WebDAV uses the normal HTTP port. However, Powerpoint can get severely confused when it accesses a resource via WebDAV over the HTTP port and the access requires authentication. In this case, Powerpoint uses the login page as resource content. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Is it possible to extend Zopes WebDAV authentication?
On May 6, 2005, at 23:52 , mark hellewell wrote: On 5/6/05, Tino Wildenhain [EMAIL PROTECTED] wrote: Actually, it does not. You have no such thing like a session when all you have is webdav. I dont know if many dav-clients store cookies too - it may depend on your usecase. Yes the use-case is Windows Explorer users only. If this is supposed to use that Web Folder thingy in Windoze Explorer you might want to reconsider. That WebDAV implementation is seriously broken. Installing helpers like WebDrive on Windoze seems to make WebDAV access work for many people. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Is it possible to extend Zopes WebDAV authentication?
Web Folders pass cookies around too, FWIW, so it's probably not strictly necessary to use http basic auth. But without using http basic auth, there is no way to log in unless you have them go to the web interface first, then launch a web folder, so maybe impractical. - C On Sat, 2005-05-07 at 06:31, Jens Vagelpohl wrote: On May 6, 2005, at 23:52 , mark hellewell wrote: On 5/6/05, Tino Wildenhain [EMAIL PROTECTED] wrote: Actually, it does not. You have no such thing like a session when all you have is webdav. I dont know if many dav-clients store cookies too - it may depend on your usecase. Yes the use-case is Windows Explorer users only. If this is supposed to use that Web Folder thingy in Windoze Explorer you might want to reconsider. That WebDAV implementation is seriously broken. Installing helpers like WebDrive on Windoze seems to make WebDAV access work for many people. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Is it possible to extend Zopes WebDAV authentication?
Am Samstag, den 07.05.2005, 12:04 -0400 schrieb Chris McDonough: Web Folders pass cookies around too, FWIW, so it's probably not strictly necessary to use http basic auth. But without using http basic auth, there is no way to log in unless you have them go to the web interface first, then launch a web folder, so maybe impractical. Well, in theory its possible if the client accepts cookie to just store the amount of wrong attempts via cookie (or id - which would be the same) and deny any password, be it even the correct one when it comes via basic auth. But I strongly believe this does not save from abuse because its just too easy to remove the cookie or just not accept it in the first place. So I'd say its not worth the work. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Is it possible to extend Zopes WebDAV authentication?
On 5/7/05, Chris McDonough [EMAIL PROTECTED] wrote: Web Folders pass cookies around too, FWIW, so it's probably not strictly necessary to use http basic auth. But without using http basic auth, there is no way to log in unless you have them go to the web interface first, then launch a web folder, so maybe impractical. That's exactly what's happening at the moment; the WebDAV access is linked to via the web interface after they log in (it's only one small part of a larger system). They log in via the web, gaining a cookie which is passed to the Explorer 'web folders' thing, so when they click on the link to the WebDAV part of the site the cookie is still valid and they don't have to log in to WebDAV. * All I'm trying to do is boost the security of the system overall by ensuring an attacker can't simply sidestep the 'three login failure lockout' just by repeatedly trying to log in via WebDAV. mark * A thought occurs to me after writing it like this. Might it be possible to forbid HTTP Basic auth logins to WebDAV, so that only cookies are the allowed authentication type? - C ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Is it possible to extend Zopes WebDAV authentication?
On 5/7/05, Tino Wildenhain [EMAIL PROTECTED] wrote: Well, in theory its possible if the client accepts cookie to just store the amount of wrong attempts via cookie (or id - which would be the same) and deny any password, be it even the correct one when it comes via basic auth. Store the incorrect login count client-side in a cookie?! No way! :) But I strongly believe this does not save from abuse because its just too easy to remove the cookie or just not accept it in the first place. So I'd say its not worth the work. Yes, I think it would be a bad idea. mark ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Is it possible to extend Zopes WebDAV authentication?
Hello! I'd like a little help, please :) I have a site that uses PluggableUserFolders for its acl_users. The web-based portion of the login process locks out a user after 3 unsuccessfull attempts at the password and i'd like to be able to do something similar for users who try to connect via WebDAV. I'm sure something like this should be possible but am uncertain where to begin. Is it possible to override the authentication methods used by WebDAV? If so what are those methods? I'd be grateful for any help and insight into this problem! Many thanks, Mark ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Is it possible to extend Zopes WebDAV authentication?
mark hellewell wrote at 2005-5-6 14:44 +0100: I have a site that uses PluggableUserFolders for its acl_users. The web-based portion of the login process locks out a user after 3 unsuccessfull attempts at the password and i'd like to be able to do something similar for users who try to connect via WebDAV. I'm sure something like this should be possible but am uncertain where to begin. Is it possible to override the authentication methods used by WebDAV? WebDAV uses basic HTTP authentication which should use whatever UserFolder you have installed. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Is it possible to extend Zopes WebDAV authentication?
Am Freitag, den 06.05.2005, 19:26 +0100 schrieb mark hellewell: On 5/6/05, Dieter Maurer [EMAIL PROTECTED] wrote: WebDAV uses basic HTTP authentication which should use whatever UserFolder you have installed. Thanks.. So, I think I should be able to modify the authentication plugin of PUF so that each time a user makes a bad login attempt (either via WebDAV or the login form) it increments the bad login counter? Sounds like a plan, anyway :) Actually, it does not. You have no such thing like a session when all you have is webdav. I dont know if many dav-clients store cookies too - it may depend on your usecase. Without cookies you dont know if a request is the first, second or third time. And just counting per user would make an excellent way to DoS. Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Is it possible to extend Zopes WebDAV authentication?
On 5/6/05, Tino Wildenhain [EMAIL PROTECTED] wrote: Actually, it does not. You have no such thing like a session when all you have is webdav. I dont know if many dav-clients store cookies too - it may depend on your usecase. Yes the use-case is Windows Explorer users only. Without cookies you dont know if a request is the first, second or third time. And just counting per user would make an excellent way to DoS. It would! However, there's no accounting for client requirements ;) mark Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )