[Zope] Re: Basic Authentication SSL Redirector
After having started the thread about securing CookieCrumbler[1], I figured out that it was better to secure Basic Authentication instead. So, I just Which is actually identically :-) Its just a different HTTP-Header involved :-) Yes, but you won't send your credentials in plane text as you do with CookieCrumble, will you? created a new Product, called JMSSLBasicAuth[2], which is based on the CookieCrumbler Transversal Hook. Instead of Cookie Authentication, I will redirect insecure Basic Authentication requests to ssl. You remember to stay in ssl once you switched? Let's say I remember that. Let's also say that the user turns manually back to http, then an Unauthorized Exception will be raised by zope, so, he will be redirect again to ssl, where an HTTP-Header where already set. I checked it with the Live HTTP Headers of Firefox, and here the user won't send his credentials while switching to http, what you will see is this: -- http://some_url/folder1 GET /folder1 HTTP/1.1 Host: some_ip User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive HTTP/1.x 302 Moved Temporarily Date: Fri, 23 Jun 2006 12:02:34 GMT Server: Zope/(Zope 2.7.8-final, python 2.3.5, linux2) ZServer/1.1 Bobo-Exception-Line: 313 Content-Length: 2686 Bobo-Exception-Value: See the server error log for details Bobo-Exception-File: Expressions.py Bobo-Exception-Type: Unauthorized X-Zopeuser: Anonymous Location: https://some_url/folder1/index_html Content-Type: text/html WWW-Authenticate: basic realm=Zope Keep-Alive: timeout=5, max=100 Connection: Keep-Alive -- https://some_url/folder1/index_html GET /folder1/index_html HTTP/1.1 Host: some_ip User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic YWRtaW46Zm9vcGFzcw== HTTP/1.x 200 OK Date: Fri, 23 Jun 2006 12:02:34 GMT Server: Zope/(Zope 2.7.8-final, python 2.3.5, linux2) ZServer/1.1 Content-Length: 156 Content-Type: text/html X-Zopeuser: admin Keep-Alive: timeout=5, max=100 Connection: Keep-Alive -- On the contratry, with CookieCrumbler you will the your credentials encoded in base64, which can be easily decoded. I have tested it and it seems to work. I'm planning to use it in production websites, so, I would really appreciate if you could give me some constructive feedback about the product (See reference [2]), ie: what can I improve, change, or add? I'd think you could add the redirection support (which can indeed be usefull and simplify configuration) in a way not disabling cookie-auth the same time. (For example you cannot really log out with Basic Auth) I think you can, or how is it done in the ZMI? If I'm not wrong, there is something like a zmi_logout script, which raises an Unauthorized Exception, then you will see the popup window asking your credentials. Regards Josef ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Basic Authentication SSL Redirector
Josef Meile schrieb: After having started the thread about securing CookieCrumbler[1], I figured out that it was better to secure Basic Authentication instead. So, I just Which is actually identically :-) Its just a different HTTP-Header involved :-) Yes, but you won't send your credentials in plane text as you do with CookieCrumble, will you? Well, its more or less exactly the same as with BasicAuth :-) (base64 plaintext vs. plaintext in html forms does not really matter) created a new Product, called JMSSLBasicAuth[2], which is based on the CookieCrumbler Transversal Hook. Instead of Cookie Authentication, I will redirect insecure Basic Authentication requests to ssl. You remember to stay in ssl once you switched? Let's say I remember that. Let's also say that the user turns manually back to http, then an Unauthorized Exception will be raised by zope, so, he will be redirect again to ssl, where an HTTP-Header where already set. I checked it with the Live HTTP Headers of Firefox, and here the user won't send his credentials while switching to http, what you will see is this: -- http://some_url/folder1 GET /folder1 HTTP/1.1 Host: some_ip User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive HTTP/1.x 302 Moved Temporarily Date: Fri, 23 Jun 2006 12:02:34 GMT Server: Zope/(Zope 2.7.8-final, python 2.3.5, linux2) ZServer/1.1 Bobo-Exception-Line: 313 Content-Length: 2686 Bobo-Exception-Value: See the server error log for details Bobo-Exception-File: Expressions.py Bobo-Exception-Type: Unauthorized X-Zopeuser: Anonymous Location: https://some_url/folder1/index_html Content-Type: text/html WWW-Authenticate: basic realm=Zope Keep-Alive: timeout=5, max=100 Connection: Keep-Alive -- https://some_url/folder1/index_html GET /folder1/index_html HTTP/1.1 Host: some_ip User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic YWRtaW46Zm9vcGFzcw== HTTP/1.x 200 OK Date: Fri, 23 Jun 2006 12:02:34 GMT Server: Zope/(Zope 2.7.8-final, python 2.3.5, linux2) ZServer/1.1 Content-Length: 156 Content-Type: text/html X-Zopeuser: admin Keep-Alive: timeout=5, max=100 Connection: Keep-Alive -- nice password btw ;) Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Basic Authentication SSL Redirector
Yes, but you won't send your credentials in plane text as you do with CookieCrumble, will you? Well, its more or less exactly the same as with BasicAuth :-) (base64 plaintext vs. plaintext in html forms does not really matter) Yes, but if you set only the authentication header in https and manually came back to http, then will you send your password in plain text? -- https://some_url/folder1/index_html GET /folder1/index_html HTTP/1.1 Host: some_ip User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic YWRtaW46Zm9vcGFzcw== HTTP/1.x 200 OK Date: Fri, 23 Jun 2006 12:02:34 GMT Server: Zope/(Zope 2.7.8-final, python 2.3.5, linux2) ZServer/1.1 Content-Length: 156 Content-Type: text/html X-Zopeuser: admin Keep-Alive: timeout=5, max=100 Connection: Keep-Alive -- nice password btw ;) Yes, a test password off course ;-). Will this being sent encrypted? ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Basic Authentication SSL Redirector
Josef Meile schrieb: Yes, but you won't send your credentials in plane text as you do with CookieCrumble, will you? Well, its more or less exactly the same as with BasicAuth :-) (base64 plaintext vs. plaintext in html forms does not really matter) Yes, but if you set only the authentication header in https and manually came back to http, then will you send your password in plain text? No you dont. Cookies have a setting for that. Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
