Re: [Zope] Re: Handling login failures
On Jan 13, 2006, at 00:32, Dennis Allison wrote: A more usual solution to this issue is to insert a delay after the third and subsequent failures. You, of course, need a policy for removing the delay (successful login or N minutes following the last attempt). Yes, I have been thinking the same thing. It would be much less work for the admin of the system. Thanks for the tip though :) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Handling login failures
On Jan 13, 2006, at 00:24, Florent Guillaume wrote: Håkan Johansson wrote: I want to be able to block a user from logging in if he fails to give the right login/password three times in a row. You're aware that this allows anyone to trivially DoS your users, right? If you take the precaution of matching with the IP, it still will harm people logging in through corporate or ISP proxies. Which, admittedly, may not be a problem in an intranet setting. Florent This is not really a problem for us since we have a firewall that must be logged into first. Only customers to the system can actually access it. If I had a say in it, I would not implement a system like this at all, but our customer wants it. Thanks for the warning though. I hadn't thought about the DoS aspect. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Handling login failures
A more usual solution to this issue is to insert a delay after the third and subsequent failures. You, of course, need a policy for removing the delay (successful login or N minutes following the last attempt). On Fri, 13 Jan 2006, Florent Guillaume wrote: > Håkan Johansson wrote: > > I want to be able to block a user from logging in if he fails to give > > the right login/password three times in a row. > > You're aware that this allows anyone to trivially DoS your users, right? > If you take the precaution of matching with the IP, it still will harm > people logging in through corporate or ISP proxies. Which, admittedly, > may not be a problem in an intranet setting. > > Florent > > > The problem is that I don't know how to do this. > > > > First, I need to know if an attempt failed. This, I have no idea how to do. > > > > Second, I need to block the user without deleting him. One problem here > > is that the user can write different login names for the different login > > attempts. We have been thinking about blocking the offender's IP for 30 > > minutes or so and leave it at that. It seems to me that > > SiteAccess.AccessRule could be used for that, but I haven't looked much > > into it yet. The documentation is extremely light. > > > > > > I have a very clean Zope 2.8.4 installation on a SuSE linux machine. > > Logins are handled in the standard Zope way, nothing special added. > > The Zope is running as a stand alone server, i.e. no Apache at all. > > > > > > Another thing: How do I get Zope to log failed authentication attempts? > > Neither event.log or Z2.log shows anything. As Z2.log is the access log, > > I would have guessed that such things should be logged there. If not, > > where and how? > > > > -- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Handling login failures
Håkan Johansson wrote: I want to be able to block a user from logging in if he fails to give the right login/password three times in a row. You're aware that this allows anyone to trivially DoS your users, right? If you take the precaution of matching with the IP, it still will harm people logging in through corporate or ISP proxies. Which, admittedly, may not be a problem in an intranet setting. Florent The problem is that I don't know how to do this. First, I need to know if an attempt failed. This, I have no idea how to do. Second, I need to block the user without deleting him. One problem here is that the user can write different login names for the different login attempts. We have been thinking about blocking the offender's IP for 30 minutes or so and leave it at that. It seems to me that SiteAccess.AccessRule could be used for that, but I haven't looked much into it yet. The documentation is extremely light. I have a very clean Zope 2.8.4 installation on a SuSE linux machine. Logins are handled in the standard Zope way, nothing special added. The Zope is running as a stand alone server, i.e. no Apache at all. Another thing: How do I get Zope to log failed authentication attempts? Neither event.log or Z2.log shows anything. As Z2.log is the access log, I would have guessed that such things should be logged there. If not, where and how? -- Florent Guillaume, Nuxeo (Paris, France) Director of R&D +33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope background variables
You should have a look at 'temp_folder'. It is a ram-based folder (ie. objects stored in it are not written to the ZODB), so when zope stops running anything in the temp_folder is lost, but it is faster than writing to the ZODB (disk-based storage). Zope uses a temp_folder for its sessions. hth Jonathan - Original Message - From: Alric Aneron To: zope@zope.org Sent: Thursday, January 12, 2006 4:39 PM Subject: [Zope] Zope background variables Hello,I was wondering if there is a way to store a global variable on the server, and have such variable be easily retrieved in Zope dtml/python methods.I want to make my own login system with sessions. And store session ID on the server and cookie to identify logged in users.Is there an easy way to store a list of users and session IDs on the server? Like a background array that's always available as long as the server is running. Yahoo! PhotosGot holiday prints? See all the ways to get quality prints in your hands ASAP. ___Zope maillist - Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding! **(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope background variables
Hello, I was wondering if there is a way to store a global variable on the server, and have such variable be easily retrieved in Zope dtml/python methods. I want to make my own login system with sessions. And store session ID on the server and cookie to identify logged in users. Is there an easy way to store a list of users and session IDs on the server? Like a background array that's always available as long as the server is running. Yahoo! Photos Got holiday prints? See all the ways to get quality prints in your hands ASAP.___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] problems displaying radio buttons in plone
Jon Savian wrote: Hi guys, i am using plone 2.1.3 and i am having some trouble displaying radio buttons. I am doing a normal html form etc However they do not display on the page. Any ideas? What do you mean by "doing"? Plone doesn't by default allow things like forms in content. There's a "safe HTML" howto on plone.org, I think, that you should look at in this case. Also, there's a Plone-specific mailing list, you know. --jcc -- "Building Websites with Plone" http://plonebook.packtpub.com/ Enfold Systems, LLC http://www.enfoldsystems.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] cannot create an external method with zope-2.9.0
I found the problem: it was a typo !! during checkout of the Product I made a typo and named the Product-directory WAeUp instead WAeUP :-(((. Sorry for the noise. Patrick Decat schrieb: On 1/11/06, joachim <[EMAIL PROTECTED]> wrote: Yes it is called Extensions, but is in the Product. As I said, the same works with the same Product on the same machine under Zope-2.8.2. Like you, I put my extensions in my product rather than in the global Extensions directory. Can't see what going on with yours, sorry. Regards, Patrick. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] problems displaying radio buttons in plone
Hi guys, i am using plone 2.1.3 and i am having some trouble displaying radio buttons. I am doing a normal html form etc However they do not display on the page. Any ideas? Thanx ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Zope Security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I wrote: > I would rate Zope overall as a reasonably secure platform. Because the > builk of it, including all the socket handling code, is written in > If you look > at the list of security alerts ("hotfixes", see > > you will note that the *vast* majority of them have been relevant only > for sites which allow less-than-fully-trusted users to write > through-the-web code, a use case which most sites do not have. and forgot to paste in the URL: http://www.zope.org/Products/Zope/ Sorry about that. Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDxpc1+gerLs4ltQ4RAl2jAJ0eGt7KU18GVQOQPJDGbqerCL46rACePzzn kGukMqBWrmWUWh+zl5LDnN0= =Bld7 -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Zope Security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 michael nt milne wrote: > Hi > > Just a quick query about Zope security etc. I've got an installation on a > Windows server using Apache, which also hosts internal email/data etc. This > is behind a router/firewall. Just wondering if there are any Zope security > issues that I should be aware of? How secure is Zope? > > Thanks > > Michael > > PS This is a re-send as it bounced the first time round. I would rate Zope overall as a reasonably secure platform. Because the builk of it, including all the socket handling code, is written in Python, it does not suffer from buffer overflow problems. If you look at the list of security alerts ("hotfixes", see you will note that the *vast* majority of them have been relevant only for sites which allow less-than-fully-trusted users to write through-the-web code, a use case which most sites do not have. Zope's own security model is used to protect data within the ZODB from improper access by site visitors. It is possible to configure the model for *very* fine-grained access control; OTOH, such safely using such power requires mastering a good deal of complexity. Other frameworks build atop Zope (CMF, Plone, Silva, CPS) present reduced views of that flexibility, tailored to well-understood patterns. For machines which handle both Zope and other sensitive data: - Zope is a long-running process: the user-as-whom-Zope-runs (UAWZR), should ideally be a dedicated account, with read access to the Zope instance directory ("INSTANCE_HOME"), Zope software directorie, and neccesary system libraries, and write access only to the directories where it writes its data and logfiles (the '$INSTANCE_HOME/var'). - Zope's own security model trusts the filesystem code implicitly, which means that you *don't* want to give arbitrary access to the software directory or the instance home. You should probably block even read access to the 'var' subdirectory, as the database files there might expose sensitive data to prying eyes. Note that none of this advice is Windows-specific. One bit shich is: - When running a ZEO storage server, you need to protect the socket on which it listens from unauthorized access. On a Unix box, you can make it a Unix-domain socket, which can be protected with appropriate filesystem permissions. If using a TCP socket (required on Windows), you need to configure it to listen only on "trusted" interfaces, e.g., localhost, or an IP address which is in a carefully firewalled submet. Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDxpSc+gerLs4ltQ4RAsxiAJ95KNhuahs581czEGzOYI4QJwPWHwCgxWbk iTbs+bHf6ZngwFW3lCaboCY= =+1h3 -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] wrong directoy in Control_Panel.Products.XXXX.home
On 1/12/06, Luca Olivetti <[EMAIL PROTECTED]> wrote: > Everything has been working fine (apart for the breakage of > CMFQuickInstaller) but I wonder if this is the intended behavior and if > there is better way to update the information in Control_Panel (touching > __init__.py in the offending products and restarting zope didn't help, I > had to remove the products from the Control_Panel and restart zope). I suspect that the .pyc files may still hold the old paths; remove the .pyc files and restart to have them recreated, or used the Python standard library script compileall.py to recreate these files. -- Martijn Pieters ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Handling login failures
On Jan 11, 2006, at 17:37, Tino Wildenhain wrote: Håkan Johansson schrieb: Hi everyone. I want to be able to block a user from logging in if he fails to give the right login/password three times in a row. The problem is that I don't know how to do this. Because it isnt really possible/practicable at all with HTTP. First, I need to know if an attempt failed. This, I have no idea how to do. Second, I need to block the user without deleting him. One problem here is that the user can write different login names for the different login attempts. We have been thinking about blocking the offender's IP for 30 minutes or so and leave it at that. It seems to me that SiteAccess.AccessRule could be used for that, but I haven't looked much into it yet. The documentation is extremely light. And if the offender uses a proxy where your true user is also coming from? I have a very clean Zope 2.8.4 installation on a SuSE linux machine. Logins are handled in the standard Zope way, nothing special added. The Zope is running as a stand alone server, i.e. no Apache at all. Another thing: How do I get Zope to log failed authentication attempts? Neither event.log or Z2.log shows anything. As Z2.log is the access log, I would have guessed that such things should be logged there. If not, where and how? You could "log" the Unauthorized - but this does not really help. You better use one of the pluggable auth folders (PAS, ExuserFolder etc.) and bend them to your needs - maybe with a small memory pool for the counter/queue of failed login attempts. I think I have found a solution. I will try to subclass UserFolder and override the authenticate method. If a user is not "blocked" from failing three times in a row, the original method is called to do the actual authentication. Thanks for the help. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] css not working in rewrite
Kedar Dash schrieb: > Dear All, > > I am using python 2.3.5, zope 2.8 and plone 2.1. > > After writing the following rewrite rule in apache (compiled from > source 1.3) the site is opening. > > > ServerAlias shakeelx.ekduniya.com ServerName seems missing. > RewriteEngine On > RewriteRule ^/(.*) http://127.0.0.1:9673/VirtualHostBase/http/% > {HTTP_HOST}:80/%{HTTP_HOST}/VirtualHostRoot/$1 [L,P] > RewriteLog "/usr/local/apache/logs/rewrite.log" > RewriteLogLevel 9 > > > The problem I am facing is it is not picking the css as a reasult > of which the site is only openig with the text with out any formating. > > Looking for a solution. Well, you are VHosting to zope root here. So there is no reason CSS would not work. Does it work when you access the site directly? How does the link look like when you view the source as seen by your browser? HTH Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope Security
HiJust a quick query about Zope security etc. I've got an installation on a Windows server using Apache, which also hosts internal email/data etc. This is behind a router/firewall. Just wondering if there are any Zope security issues that I should be aware of? How secure is Zope? ThanksMichaelPS This is a re-send as it bounced the first time round. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] wrong directoy in Control_Panel.Products.XXXX.home
A while ago I changed the directory of my zope instance. I also changed the zope directory (started with zope 2.8.1, now running 2.8.4). Today I noticed that the CMFQuickInstaller failed to get the version and the readme of various products. It happens that CMFQuickInstaller uses Control_Panel.Products.getObj(id).home to determine the product's directory and then reads the version.txt file from there. However many products had the old directory name stored in home (like /usr/local/zope-2.8.1-final instead of /usr/local/zope-2.8.4-final, or the directory I used before changing the name). Everything has been working fine (apart for the breakage of CMFQuickInstaller) but I wonder if this is the intended behavior and if there is better way to update the information in Control_Panel (touching __init__.py in the offending products and restarting zope didn't help, I had to remove the products from the Control_Panel and restart zope). Bye -- Luca Olivetti Wetron Automatización S.A. http://www.wetron.es/ Tel. +34 93 5883004 Fax +34 93 5883007 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Multiple CookieCrumblers
On 1/11/06, David Hassalevris <[EMAIL PROTECTED]> wrote: > Can you explain how you are using this? I am not sure what "this" you are referring to. If you mean controlling the cache control http response that is done by setting a property in the CookieCrumbler object. > Does cookie crumbler's > cache-control apply to *all* authenticated responses? If so, I didnt > realize it was so sweeping (I admit i had assumed it applied to the > authentication cookie). That is my understanding of how it works in all current versions. > > Have you, for example, considerered branching to different folders (one with > all object caches set to no-cache) based on a user role? > I am not sure what you mean. > > Its an interesting idea, to cascade cookie crumblers - you might be able to > fake the login_screen > My preliminary testing seems to indicate that this cascading does what I want -- unless there is some gotcha there. I suppose it is easy enough to test -- but I have to first get setup in the proxied environment with somebody that understands the particular proxy. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Multiple CookieCrumblers
On 1/12/06, Jens Vagelpohl <[EMAIL PROTECTED]> wrote: > I don't know what you're talking about, the CookieCrumbler has > *nothing* to do with caching at all. Are you confusing tools here? > Could it be you're talking about the CachingPolicyManager? AFAIK CookieCrumbler sets the http cache control header value of http responses that it handles. It has a property (at least in current versions) that lets you control what this header value is. My understanding is that the header is set to "private" by default. > > By the way, the CookieCrumbler doesn't "authenticate", either. It > just makes cookie data look like regular basic auth headers so that a > real user folder can use that data. > Yes. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] css not working in rewrite
Dear All, I am using python 2.3.5, zope 2.8 and plone 2.1. After writing the following rewrite rule in apache (compiled from source 1.3) the site is opening. ServerAlias shakeelx.ekduniya.com RewriteEngine On RewriteRule ^/(.*) http://127.0.0.1:9673/VirtualHostBase/http/% {HTTP_HOST}:80/%{HTTP_HOST}/VirtualHostRoot/$1 [L,P] RewriteLog "/usr/local/apache/logs/rewrite.log" RewriteLogLevel 9 The problem I am facing is it is not picking the css as a reasult of which the site is only openig with the text with out any formating. Looking for a solution. regards, Kedar ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Multiple CookieCrumblers
On 12 Jan 2006, at 00:39, Brian Sullivan wrote: I will not do what you expect to do. The first cookie crumbler to do authentication sets the cookie and even if other cookie crumblers get involved they will not just overwrite that cookie because the lifetime setting on their cookie is different. In some testing I found that the headers (at least the upstream cache setting which is what I was interested in) does seem to be different depending on the first CookieCrumbler to handle the content (I set one in a subdirectory to cache setting 'public' and the main system level one to 'private')- which would seem to imply that higher placed ones recognize the cache header setting and avoid changing it? This seemed to do what I want. If this isn't a strategy for doing what I want to do can anybody thing of one? I have a site that is authenticated using CookieCrumbler. I have a whole bunch of static files/objects, some fairly large isolated in a subfolder on the site. I want the static objects to be cached by upstream proxies, but all other parts of the site not cacheable. I don't know what you're talking about, the CookieCrumbler has *nothing* to do with caching at all. Are you confusing tools here? Could it be you're talking about the CachingPolicyManager? By the way, the CookieCrumbler doesn't "authenticate", either. It just makes cookie data look like regular basic auth headers so that a real user folder can use that data. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )