Re: [Zope] Zope/Plone logon security strategy etc
michael nt milne wrote at 2006-2-28 15:51 +: I'm probably missing something really obvious but am wondering how you actually implement your product on a live plone site. I've got it installed. Do you just customise the login form that comes with the product and use that on the site? I fear you do not understand the essence of HTTP authentication: For any kind of HTTP authentication (whether basic or digest), it is the browser which gathers the login information. Therefore, you do not have a login form (you can customize on the server). Instead, the browser uses its login dialog (which you might customize, if you are using e.g. Mozilla or Firefox, but is usually out of the server's reach). As written in the documentation on my website, DigestAuth currently only contains a DigestAuthCrumbler which works similar to the CookieCrumbler. More precisely: It takes digest auth information, verifies it and (if successful) presents it like basic auth information to the remaining parts of Zope. The CookieCrumbler works very similar: it takes the information from a cookie and presents it like basic auth information to the remaining parts of Zope. The DigestAuthCrumbler is a bit less transparent. It *MUST* know the user's password in order to verify the validity of the presented auth information (more precisely, a special hash would be sufficient, but usual user folders do not support such hashes). Therefore, it can only be used together with UserFolders providing access to the clear text password. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope/Plone logon security strategy etc
Hi DieterI've installed DigestAuth. Just wondering if there are any set-up instructions at all?ThanksMichaelOn 1/26/06, Dieter Maurer [EMAIL PROTECTED] wrote:michael nt milne wrote at 2006-1-25 18:55 +: Yeah I know the security aspects are good once you are in, howeverwhen you login it's possible for someone to grab your logon name andpass as it goes over the internet, as there's no encryption at all. Then obviously login themselves and compromise your sites.You might be interested in my DigestAuth product.It provides HTTP DigestAuthentication for Zope.Of course, HTTP authentication gives you less freedom than other forms of authentication (as the browser does the login).These other forms can be made safer by the use of https.--Dieter-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope/Plone logon security strategy etc
PSI won't be using this with SSL obviously. Good to use it to secure login areas where the other content doesn't require SSL.On 2/15/06, michael nt milne [EMAIL PROTECTED] wrote: Hi DieterI've installed DigestAuth. Just wondering if there are any set-up instructions at all?ThanksMichaelOn 1/26/06, Dieter Maurer [EMAIL PROTECTED] wrote: michael nt milne wrote at 2006-1-25 18:55 +: Yeah I know the security aspects are good once you are in, howeverwhen you login it's possible for someone to grab your logon name andpass as it goes over the internet, as there's no encryption at all. Then obviously login themselves and compromise your sites.You might be interested in my DigestAuth product.It provides HTTP DigestAuthentication for Zope.Of course, HTTP authentication gives you less freedom than other forms of authentication (as the browser does the login).These other forms can be made safer by the use of https.--Dieter -- Michael -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope/Plone logon security strategy etc
michael nt milne wrote at 2006-1-25 18:55 +: Yeah I know the security aspects are good once you are in, however when you login it's possible for someone to grab your logon name and pass as it goes over the internet, as there's no encryption at all. Then obviously login themselves and compromise your sites. You might be interested in my DigestAuth product. It provides HTTP DigestAuthentication for Zope. Of course, HTTP authentication gives you less freedom than other forms of authentication (as the browser does the login). These other forms can be made safer by the use of https. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope/Plone logon security strategy etc
Just a quick question about Zope/Plone logins and security etc. When I go to www.domain.com:8080/manage I get a login box which seems to function in exactly the same way as the www.domain.com:8080/login_form page. My question is, what was the rational for implementing this logon strategy in Zope as it obviously acts as authentication and authorisation but falls down on confidentiality and data integrity? Also would there be any plans at all in the future to make this logon process authenticate, be confidential and have integrity? I know that you can do it in Apache etc but for most people that's probably quite a big step. Most people probably reckon that the appearance of the logon box makes their site secure. I'm only talking about the logon areas here, etc. Thanks Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope/Plone logon security strategy etc
michael nt milne schrieb: Just a quick question about Zope/Plone logins and security etc. When I go to www.domain.com:8080/manage I get a login box which seems to function in exactly the same way as the www.domain.com:8080/login_form page. My question is, what was the rational for implementing this logon strategy in Zope as it obviously acts as authentication and authorisation but falls down on confidentiality and data integrity? Also would there be any plans at all in the future to make this logon process authenticate, be confidential and have integrity? I know that you can do it in Apache etc but for most people that's probably quite a big step. Most people probably reckon that the appearance of the logon box makes their site secure. I'm only talking about the logon areas here, etc. I wonder what you mean. Could you outline a way how you believe it should work? What are your concerns about security exactly? With zope you have security down to individual object attributes. Each time you access an attribute and dont have sufficient rights, you are presented with some way to login (the exact apearance however depends on the userfolder you use). So how do you think it should work instead and what are the improvements you see as well as the drawbacks? Regards Tino Wildenhain ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope/Plone logon security strategy etc
On 25 Jan 2006, at 17:17, michael nt milne wrote: Just a quick question about Zope/Plone logins and security etc. When I go to www.domain.com:8080/manage I get a login box which seems to function in exactly the same way as the www.domain.com:8080/login_form page. My question is, what was the rational for implementing this logon strategy in Zope as it obviously acts as authentication and authorisation but falls down on confidentiality and data integrity? Also would there be any plans at all in the future to make this logon process authenticate, be confidential and have integrity? I know that you can do it in Apache etc but for most people that's probably quite a big step. Most people probably reckon that the appearance of the logon box makes their site secure. I'm only talking about the logon areas here, etc. This login page is not a Zope login page, it is a Plone/CMF login page. It does not reflect any architectural decisions on the Zope side. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope/Plone logon security strategy etc
Hi Yeah I know the security aspects are good once you are in, however when you login it's possible for someone to grab your logon name and pass as it goes over the internet, as there's no encryption at all. Then obviously login themselves and compromise your sites. Just slightly concerned about this as I plan to have a few sites set-up on one server, with client logins and have to advise on security. I know that Apache SSL can help but it's a tricky extra step and I only need to secure the login areas at the moment, not encrypt a whole site. Thanks Michael On 1/25/06, Jens Vagelpohl [EMAIL PROTECTED] wrote: On 25 Jan 2006, at 17:17, michael nt milne wrote: Just a quick question about Zope/Plone logins and security etc. When I go to www.domain.com:8080/manage I get a login box which seems to function in exactly the same way as the www.domain.com:8080/login_form page. My question is, what was the rational for implementing this logon strategy in Zope as it obviously acts as authentication and authorisation but falls down on confidentiality and data integrity? Also would there be any plans at all in the future to make this logon process authenticate, be confidential and have integrity? I know that you can do it in Apache etc but for most people that's probably quite a big step. Most people probably reckon that the appearance of the logon box makes their site secure. I'm only talking about the logon areas here, etc. This login page is not a Zope login page, it is a Plone/CMF login page. It does not reflect any architectural decisions on the Zope side. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope/Plone logon security strategy etc
On 25 Jan 2006, at 18:55, michael nt milne wrote: Hi Yeah I know the security aspects are good once you are in, however when you login it's possible for someone to grab your logon name and pass as it goes over the internet, as there's no encryption at all. Then obviously login themselves and compromise your sites. Just slightly concerned about this as I plan to have a few sites set-up on one server, with client logins and have to advise on security. I know that Apache SSL can help but it's a tricky extra step and I only need to secure the login areas at the moment, not encrypt a whole site. You should read up on HTTP authentication and cookie authentication, I sense some severe knowledge gaps there... jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )