michael nt milne wrote:
Yes, I do realise that it's hard. Regarding the cookie comment that
was the reason I wanted to use Apache location based login.
Huh? I'm sure some people would love to know how those two things relate
in your head...
I do
realise that leaving a logon cookie is
Dario Lopez-Kästen wrote:
Nevertheless, it is not simple to implement proper security with
cookie-based logins. I had to make my own hacked version of
SinmpleUserFodler with seesioning on the zeo server to get it secure
enough (it is actually a trade off from what I would have liked to have
michael nt milne wrote:
Yes, I do realise that it's hard. Regarding the cookie comment that
was the reason I wanted to use Apache location based login. I do
realise that leaving a logon cookie is insecure and that comment was
perhaps misguided. I started to think about usability etc.
I'm
Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache location based login.Huh? I'm sure some people would love to know how those two things relate
in your head...
I wanted to use an Apache served login box before the Zope/Plone site is served
michael nt milne said the following on 2006-02-14 12:30:
As for the issue with IE6 and editing pages over SSL it all works fine
in Firefox 1.5, so it's a browser issue which I just can't quite
fathom just now.
I doubt it, my guess would still be that you're doing something wrong
Alexander Limi said the following on 2006-02-14 14:05:
On Tue, 14 Feb 2006 04:59:07 -0800, Dario Lopez-Kästen
[EMAIL PROTECTED] wrote:
*HOWEVER*, IIRC, plone, especially on windows (if installed with the
windows installer) uses a trick, which is not documented at all, as
far as I know,
I am sure you know this, but since we have learned very little (or atleast I have - maybe I am not paying attention well enough :-):
Have you modified that rule to take advantage of the SSL -server?Perhaps the SiteAccess rule is triggering adn trying to redirect you toan address/port where there
Michael Vartanyan wrote:
In the very beginning of my Zope career, I once shot myself in the
foot with a very stupid thing... I kept it to myself then but if we are
talking about Zope security settings and usability of the ZMI at the
same time, perhaps it is an ideal place to raise this issue.
I agree. A little bit of a problem is that both Zope 2 Book and the ZMI
do not seem to agree. I guess was/is not the practice that Zope 2
developers endorsed/followed. But Zope2 is beyond help (C) Chris M.,
(taken out of context by me :-))
Florent Guillaume wrote:
Michael Vartanyan
michael nt milne wrote:
cookie based. Now going with Zope/Plone auth over SSL alone with cookies set
to expire.
I hope you're making sure the secure bit is set on those cookies ;-)
My aim is security with a good level of usability and I'll achieve that
:-)
Considering you can't even quote
Chris Withers said the following on 2006-02-12 15:27:
Given your earlier paranoia about security
uh, us security nerds^H^H^H^H^H^H
folks-who-have-an-strong-interest-in-security, actually prefer to call
it eagerness. Paranoia has such negative timbre, don't you think? :-)
Nevertheless, it
ThanksIt's worth bearing in mind that those credentials are passed over thewire with every page, so you need your sessions to /stay/ in SSL modeonce authenticated.Yes, I've got the whole site going over SSL and the :8080 port re-directing to SSL.
However on my main server where I have other sites
michael nt milne wrote:
Yes I think I like the HTML login page way to authenticate. It feels more
usable. And I don't think I'll use an Apache login box at all. Most users
will find it hard remembering one password and with cookie authentication
over SSL you can go straight into the site.
michael nt milne wrote:
Yes, I've got the whole site going over SSL and the :8080 port re-directing
to SSL.
Anything not over SSL should be blocked, not redirected, given your
earlier paranoia...
However on my main server where I have other sites I was thinking about
implementing SSL for
Yes, I do realise that it's hard. Regarding the cookie comment that
was the reason I wanted to use Apache location based login. I do
realise that leaving a logon cookie is insecure and that comment was
perhaps misguided. I started to think about usability etc.
I'm going to block 8080 at the
Hi,
J Cameron Cooper wrote:
Also, as I recall, there was a private plone site howto on plone.org;
dunno what happened to it.
It's still there, still works - and is very likely what Michael wants.
--
Regards,
PhilK
Email: [EMAIL PROTECTED]
PGP Public key: http://www.xfr.co.uk
Voicemail
Hi Again,
Re. Private Plone Site Howto
Philip Kilner wrote:
It's still there, still works - and is very likely what Michael wants.
I'm an idiot - should have checked, knowing that there was a
documentation sprint last weekend. It was at: -
Hi Michael,
michael nt milne wrote:
Yes I found that as well but picked it up from the Google cache.
Strange that it is available there as it's password protected.
Possibly it was public before?
Yes, it was public before.
Have you tried this, and does it solve your problems?
JCC is spot
Hi Phil
I've implementedwhat's outlined in the make private site documentationand it works fine on Plone 2.1.1.No content is available apart from the site-map page (doesn't list content) and the contact form but I can figure that out separately.
Yes I think I like the HTML login page way to
michael nt milne [EMAIL PROTECTED] writes:
HiI have major problems here trying to set-up authentication over a
whole Plone site using Zope.
I'm not going to get involved in the large Zope security discussion but I will
post an additional something to plone-users in reply to the more narrow
Scratch that, looking more closely at the thread it looks like you followed the
make site private documentation and it worked.
Peace,
George
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML
Hi Michael,
michael nt milne wrote:
I've implemented what's outlined in the make private site
documentation and it works fine on Plone 2.1.1. No content is available
apart from the site-map page (doesn't list content) and the contact form
but I can figure that out separately.
Since
Well I said it was over and out but I have to respond to this latest post. I appreciate the help here and will be trying out some of the suggestions. Basically though, Zope permissions and security could be made a lot more usable. It's far too technically focused and this is the opinion of a few
michael nt milne wrote:
Well I said it was over and out but I have to respond to this latest post.
You liar!
Basically though, Zope permissions and security could be made a lot more
usable.
Cool, we look forward to your documented proposal to dev.zope.org
including implemented code on a
Can we all stop with the public name-calling and personal insults?
It's embarassing.
--
Paul Winkler
http://www.slinkp.com
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
You liar! I couldn't resist :-) You seem so entertained. Bit of sport and all that.I've spoken to many people on various lists and can confirm the feeling about usability on the ZMI etc. You call them 'halfwits'. That puts you on rather high ground and this attitude is obviously part of the
I agree. I didn't start it and I find it un-professional. I came here with a genuine issue, have received some help which I thank people for and have made some legitimate points. I find the Zope and Plone lists are generally very good and an not interested in slanging matches.
ThanksMichaelOn
On 2/10/06, michael nt milne [EMAIL PROTECTED] wrote:
I've spoken to many people on various lists and can confirm the feeling
about usability on the ZMI etc. You call them 'halfwits'. That puts you on
rather high ground and this attitude is obviously part of the problem.
1. By complaining
On 2/10/06, michael nt milne [EMAIL PROTECTED] wrote:
I agree. I didn't start it and I find it un-professional. I came here with a
genuine issue, have received some help which I thank people for and have
made some legitimate points. I find the Zope and Plone lists are generally
very good and
I take the point that I approached this issue from the wrong standpoint and apologise for that. This was perhaps born out of a little frustration. I was never rude though. Also I feel that Plone has usabillity which sits above it's prettyness. It is a well designed interface graphically but also
Yes I've apologised for the initial tone which was the wrong way to begin and yes I agree I should have routed out more documentation. I've read Andy Mackay, Plone Live, printed out screeds of how tos, chapters of the Zope book, installed Zope on my Unix server etc so I do have a reasonable, if
Hi Michael,
michael nt milne wrote:
Also I feel that Plone has
usabillity which sits above it's prettyness. It is a well designed
interface graphically but also has very strong non graphical usability
elements.
You are correct - but you are not comparing like with like, as Plone is
an
michael nt milne wrote:
Well I said it was over and out but I have to respond to this latest
post. I appreciate the help here and will be trying out some of the
suggestions. Basically though, Zope permissions and security could be
made a lot more usable. It's far too technically focused and
In the very beginning of my Zope career, I once shot myself in the
foot with a very stupid thing... I kept it to myself then but if we are
talking about Zope security settings and usability of the ZMI at the
same time, perhaps it is an ideal place to raise this issue.
If you use the famous
Chris Withers wrote:
michael nt milne wrote:
Over and out on this one from me
You promise? ;-)
Chris
I think Tino made the key suggestion earlier on: log out of the ZMI,
close your browser, restart it, clear the cache, clear any saved
passwords, try to view the page in question and - if
35 matches
Mail list logo
