[Repoze-dev] JavaScript Hash for Login

Hi, I am going to have a go at adding a new authentication method to repoze.who. It's like the standard forms authentication, but uses JavaScript hashing to protect the password as it is transmitted. There's information about the scripts here, explaining how the system works, how it avoids replay

[Repoze-dev] repoze.zope2 - what's up on trunk

Hi. I've started to play around with repoze.zope2 trunk as witnessed on the commit list. What I'm trying to do here is to remove the last dependencies of repoze.zope2 to ZPublisher code. For the most part these are the request and response objects. My goal is to clean up both of these classes an

Re: [Repoze-dev] JavaScript Hash for Login

2009/5/12 Paul Johnston : > I am going to have a go at adding a new authentication method to > repoze.who. It's like the standard forms authentication, but uses > JavaScript hashing to protect the password as it is transmitted. Excellent; there's been talking on this list previously about such a m

Re: [Repoze-dev] JavaScript Hash for Login

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Malthe Borch wrote: > 2009/5/12 Paul Johnston : >> I am going to have a go at adding a new authentication method to >> repoze.who. It's like the standard forms authentication, but uses >> JavaScript hashing to protect the password as it is transmitted.

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hanno Schlichting wrote: > Removed _filterPasswordFields hack, preventing keys with the exact > key 'passw' to be filtered out in one place is just obscurity. But you didn't de-obfuscate it, you ripped it out. Now, the response view shows credential

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

Tres Seaver wrote: > Hanno Schlichting wrote: > >> Removed _filterPasswordFields hack, preventing keys with the exact >> key 'passw' to be filtered out in one place is just obscurity. > > But you didn't de-obfuscate it, you ripped it out. Now, the response > view shows credentials, which is a se

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hanno Schlichting wrote: > Tres Seaver wrote: >> Hanno Schlichting wrote: >> >>> Removed _filterPasswordFields hack, preventing keys with the exact >>> key 'passw' to be filtered out in one place is just obscurity. >> But you didn't de-obfuscate it, yo

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

2009/5/12 Tres Seaver : > The server side wouldn't know that:  the presence of such a field in the > request is completely independent of any form (e.g., cookies passed long > after logging in). I understand the issue, but shouldn't the remedy be to avoid ever displaying request data in a public v

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

Malthe Borch wrote: > 2009/5/12 Tres Seaver : >> The server side wouldn't know that: the presence of such a field in the >> request is completely independent of any form (e.g., cookies passed long >> after logging in). > > I understand the issue, but shouldn't the remedy be to avoid ever > displa

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Malthe Borch wrote: > 2009/5/12 Tres Seaver : >> The server side wouldn't know that: the presence of such a field in the >> request is completely independent of any form (e.g., cookies passed long >> after logging in). > > I understand the issue, but

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

2009/5/12 Tres Seaver : > That would make a lot of applictaions prettypointless. ;) def view(context, request): return Response(pprint.pformat(request)) I think we can safely disregard those apps. \malthe ___ Repoze-dev mailing list Repoze-dev@l

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVEs don't get swept under the rug. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design"http://palladion.com

Re: [Repoze-dev] [Repoze-checkins] r4659 - repoze.zope2/trunk/repoze/zope2

Hanno Schlichting wrote: > Malthe Borch wrote: >> 2009/5/12 Tres Seaver : >>> The server side wouldn't know that: the presence of such a field in the >>> request is completely independent of any form (e.g., cookies passed long >>> after logging in). >> I understand the issue, but shouldn't the rem

Re: [Repoze-dev] repoze.zope2 - what's up on trunk

On 5/12/09 7:15 AM, Hanno Schlichting wrote: > Hi. > > I've started to play around with repoze.zope2 trunk as witnessed on the > commit list. > > What I'm trying to do here is to remove the last dependencies of > repoze.zope2 to ZPublisher code. For the most part these are the request > and respons

Re: [Repoze-dev] repoze.zope2 - what's up on trunk

Chris McDonough wrote: > I think this package is becoming less "repoze.zope2" than some other more > experimental system. Which is fine. But there's no way I'm going to be able > to give people help with it on IRC or the maillist when it breaks because > they're using an API that we removed.

Re: [Repoze-dev] repoze.zope2 - what's up on trunk

2009/5/12 Chris McDonough : > If we ever do release an 80%-compatible publisher replacement, we should call > it > something other than "repoze.zope2". I doubt if we're really talking 80% though; if as Hanno suggests, it'll run CMF, Plone and what other popular Zope 2 apps/libraries, isn't it mor

Re: [Repoze-dev] repoze.zope2 - what's up on trunk

On 5/12/09 12:00 PM, Malthe Borch wrote: > 2009/5/12 Chris McDonough: >> If we ever do release an 80%-compatible publisher replacement, we should >> call it >> something other than "repoze.zope2". > > I doubt if we're really talking 80% though; if as Hanno suggests, > it'll run CMF, Plone and what

Re: [Repoze-dev] repoze.zope2 - what's up on trunk

On May 12, 2009, at 12:17 PM, Chris McDonough wrote: > On 5/12/09 12:00 PM, Malthe Borch wrote: >> 2009/5/12 Chris McDonough: >>> If we ever do release an 80%-compatible publisher replacement, we >>> should call it >>> something other than "repoze.zope2". >> >> I doubt if we're really talking 8

Re: [Repoze-dev] repoze.zope2 - what's up on trunk

2009/5/12 Andrew Sawyers : > Just and FYI from a (large) consumer of the repoze.zope2 package > This kind of change causes expensive test iterations.  We're currently going > through one now...as a result of choosing to move over to repoze.zope2 and > friends.  We would like to continue consumi

Re: [Repoze-dev] repoze.zope2 - what's up on trunk

On 5/12/09 9:35 AM, "Malthe Borch" wrote: > 2009/5/12 Andrew Sawyers : >> Just and FYI from a (large) consumer of the repoze.zope2 package >> This kind of change causes expensive test iterations.  We're currently going >> through one now...as a result of choosing to move over to repoze.zope2

[Repoze-dev] [issue76] repoze.who metadata plugin interface imposes an extra data fetch

New submission from Forest : I want to add meta-data to an authenticated user's environment, but I don't want to perform extra database operations to do it. Since the repoze.who spec only allows meta-data scribbling from within IMetadataProvider, and IMetadataProvider is separate from IAuthentic

[Repoze-dev] [issue77] repoze.who metadata plugin is called on every request

New submission from Forest : My testing shows that a meta-data provider plugin is called on every request. This is horribly inefficient for meta-data that is expensive to fetch, such as any that lives in a database. I would expect it to be fetched once when the user is authenticated, and then r

[Repoze-dev] [issue76] repoze.who metadata plugin interface imposes an extra data fetch

Tres Seaver added the comment: /me uses the time machine: http://svn.repoze.org/repoze.who/trunk/CHANGES.txt (See the first entry under 1.0.13). -- status: unread -> resolved __ Repoze Bugs __

[Repoze-dev] JS Hashing - Initial Thoughts

Hi, Ok, I've had a little look at how I could implement the JavaScript hash login. I'll create a HashFormPlugin that is a challenger and an identifier. As for the Authenticator, maybe I'll create a new SQLHashAuthenticatorPlugin, or maybe I'll just provide a default_hash_compare function to pass t