Re: AW: [Zope-dev] Re: [Zope3-Users] How do I automatically login a user]
I have made many changes to the first version of this proposal and submitted a new version to the wiki. http://wiki.zope.org/zope3/SessionCredentialsAPIEnhancements I have checked in an example implementation to the Zope SVN repository. The code is at: svn://svn.zope.org/repos/main/Sandbox/kevingill2/zope.app.authentication Of via browser: http://svn.zope.org/Sandbox/kevingill2/zope.app.authentication/ I would appreciate any feedback on either the proposal or the implementation. Thanks Kevin ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
AW: AW: [Zope-dev] Re: [Zope3-Users] How do I automatically login a user]
Hi Kevin > Betreff: Re: AW: [Zope-dev] Re: [Zope3-Users] How do I > automatically login a user] > > I have completed a first draft of an implementation of a > proposal for for changes to the SessionCredentials Access > code (zope.app.authentication). > > http://wiki.zope.org/zope3/SessionCredentialsAPIEnhancements Thanks a lot for pick up that work. Looks very promising. One imporant part whould be to prevent write access on each request. But you noticed that already on your wiki page. Regards Roger Ineichen ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: AW: [Zope-dev] Re: [Zope3-Users] How do I automatically login a user]
I have completed a first draft of an implementation of a proposal for for changes to the SessionCredentials Access code (zope.app.authentication). http://wiki.zope.org/zope3/SessionCredentialsAPIEnhancements I want to put them somewhere so that they can be discussed. I think that a svn.zope.org/Sandbox is the appropriate place. Can I get committer access to the subversion repository to make changes to this area? [According to the faq, I ask for commiter access on this list]. Alternatively, is there another location where proposed changes to the core are generally posted. Thanks Kevin > On Apr 9, 2008, at 5:07 AM, kevin gill wrote: >> 1. IP Extraction >> >> Extract the IP Address from the credentials and store it. Return the >> IP Address in the dictionary from extractCredentials(). >> >> The value from request._environ['HTTP_X_FORWARDED_FOR'] will be used >> if present. otherwise request._environ['REMOTE_ADDR']. > > > On a basis of "privacy" of attributes starting with underscore, such > as _environ, I would suggest using request.headers (for X-Forwarded- > For) and request.environment instead. These are defined in the public > interface API. > > -- > Zvezdan Petkovic <[EMAIL PROTECTED]> > > ___ > Zope-Dev maillist - Zope-Dev@zope.org > http://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope ) > > -- > ** Email Scanned by Elive's Virus Scanning Service - > http://www.elive.net ** > > > > > ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: AW: [Zope-dev] Re: [Zope3-Users] How do I automatically login a user
On Apr 9, 2008, at 5:07 AM, kevin gill wrote: 1. IP Extraction Extract the IP Address from the credentials and store it. Return the IP Address in the dictionary from extractCredentials(). The value from request._environ['HTTP_X_FORWARDED_FOR'] will be used if present. otherwise request._environ['REMOTE_ADDR']. On a basis of "privacy" of attributes starting with underscore, such as _environ, I would suggest using request.headers (for X-Forwarded- For) and request.environment instead. These are defined in the public interface API. -- Zvezdan Petkovic <[EMAIL PROTECTED]> ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: AW: [Zope-dev] Re: [Zope3-Users] How do I automatically login a user
Below is a first draft of a proposal to cover the features discussed in this thread. I have bundled a number of loosely related items into the proposal. I can split them out to separate proposals if that is considered a better approach. There are three items which are not resolved in the high level of the proposal. However, I believe that there is enough detail in the proposal at the moment to elicit feedback on the Proposal scope and approach. If this high-level is considered acceptable to the list, I will do an implementation and submit a detailed proposal to this list, the Wiki and Launchpad. Thanks, Kevin Proposal Session Credentials API Enhancements o Support remote IP restricted logins o Support domain specific logins o Encrypt Password o Application overriding credentials from request o Tracking of 'logged in' users Motivation(s) Require an API for logging in a user automatically. The mailing list identified a number of other related requirements. Some items were added or expanded due to usefulness in Zope2. Problem(s) Secure authentication scenarios require access to be limited to a single IP Address or set of IP Addresses. The Session Credential plugin should take responsibility for extracting and returning the authentication IP Address. Some scenarios use a 'domain' and provide the login within that specific domain (e.g. a company and users belonging to that company). For security reasons the password should be encrypted while in the session store. The application needs an API so that it can set the credentials for a session programmatically, i.e. as part of the sign up process. For monitoring purposes, it is useful to know who is currently 'logged in'. For strict security is important to logout idle users. Proposal 1. IP Extraction Extract the IP Address from the credentials and store it. Return the IP Address in the dictionary from extractCredentials(). The value from request._environ['HTTP_X_FORWARDED_FOR'] will be used if present. otherwise request._environ['REMOTE_ADDR']. This requires a change to ISessionCredentials to provide getIP(). 2. Domain The Session Credentials can optionally provide a 'domain' value. Where the domain is used the domain should be stored in the client using a cookie, so that it can default. The domain functionality should be enabled via the UI. TODO: Need to rename the domain functionality as the term domain is used for IP specific security in Zope2. 3. Encrypt password The Session Credentials should use of an encrypter class to encrypt the password if configured. The class is used to encrypt the password when saved and decrypts it when returning the password to the application (via extraCredentials). The encrypter class shall support the following Interface: class IEncryptPassword(Interface): def encrypt(login, password): """Return an encrypted version of the password""" def decrypt(login, encrypted): """Return a decrypted version of the password""" TODO: Determine the mechanism for locating/configuring this class. TODO: Identify a mechanism for recovering if you use this mechanism with no users with encrypted passwords. 4. Application Overriding Login Credentials The ICredentialsPlugin.extractCredentials method will have two new parameter, overrides and mode. overrides will provide a dictionary containing ('login', 'password' and 'domain') which will override the same values in the request object if they are present in the request object. mode will define what to do with the parameters if session credentials are already stored: STORED_REQUEST_MODE:If stored values, used them otherwise use the request (current functionality) REQUEST_STORED_MODE:Try for parameters in the request. If they are not present use stored values if they are available. REQUEST_ONLY_MODE: Ignore values if they are stored. Use the request only. The class will use a full set of credentials from either the request or storage. It will not mix them. An adapter will be provided to make access to the login simpler. This should be part of zope.app.security. The adapter shall adapt a request object. class ILogin(Interface): """Provide support for logging in directly""" def login(overrides, mode=REQUEST_ONLY): """Login using credentials provided in the overrides parameter. {'login':'', 'password': '', 'domain': ''} If values are not provided in the dictionary, the request is searched """ def setCredentials(overrides, mode=REQUEST_ONLY): """Store the credentials for the curre
AW: [Zope-dev] Re: [Zope3-Users] How do I automatically login a user
Ha David > Betreff: Re: [Zope-dev] Re: [Zope3-Users] How do I > automatically login a user > > Thanks Jim for doing this. Actually, the domain is something > I have been looking for also. These other features are really > nice. I am hoping this > can be worked into something like z3c.authentication for > generic use. > Hoping roger is following this. Yes, yes, just found no time to pickup this. But it's on the top of my 1000 things to do list ;-) Note: I started to make progress with z3c.authenticator. This will become a replacement for z3c.authentication.simple Does anybody think we will need a migration script? Regards Roger Ineichen _ END OF MESSAGE > Regards, > David > > Jim Fulton wrote: > > > > Let's move this discussion to zope-dev. > > > > On Apr 2, 2008, at 5:36 AM, kevin gill wrote: > >> Please check in the code to the sandbox and I will have a > look at it. > >> The coding looks straight-forward, but choosing how to > work it into > >> the existing components. > >> > >> I will look at the code and come back with questions. > > > > > > I just checked 2 files, session.txt and session.py, into > > > > http://svn.zope.org/Sandbox/J1m/ > > > > These provide several features, most of which are of particular > > interest > > here: > > > > - An api to save session credentials independent of login, > > > > - saving sha-encoded passwords, > > > > - logout api > > > > - having an optional additional credential of a user domain, > > (probably not of general interest) > > > > Jim > > > > -- > > Jim Fulton > > Zope Corporation > > > > > > ___ > > Zope-Dev maillist - Zope-Dev@zope.org > > http://mail.zope.org/mailman/listinfo/zope-dev > > ** No cross posts or HTML encoding! ** (Related lists > > -http://mail.zope.org/mailman/listinfo/zope-announce > > http://mail.zope.org/mailman/listinfo/zope ) > > > ___ > Zope3-users mailing list > [EMAIL PROTECTED] > http://mail.zope.org/mailman/listinfo/zope3-users > ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )