Hi,
I have read all the various documents and howtos regarding setting zope with
apache and SSL, and I set it up. I have two virtual servers, http and https,
serving the same hierarchy of zope objects. I would llike to secure passwords
by using SSL.
It is suggested everywhere I read that the protection should be done with
RewriteRule or similar, by filtering urls. For example, I use RewriteRule
match like ^manage(.*) and another to see if the protocol is insecure to
redirect such requests to the same URL, but over https. Else, I can use
solutions like SSLAbsoluteURL to adjust behavior of absolute_url()
This, however, seems unsatisfactory. RewriteRules or url base manipulation
cannot guarantee that the site visitor would not run into a protected object.
In this case, the server returns "Unauthorized" response, the browser pops up
the basic http authorisation dialog and login/password travel in the open.
Looking at the CookieCrumbler product, I realise that before anything gets
published it "highjacks" the RESPONSE object and manipulates it, including
removing "Unauthorized" and redirecting to a login form.
I hope somebody has time to answer two questions:
How legitimate would it be to do the same, but to make external redirect via
https? I understand that this might mean a lot of nasty things, including
being locked out of Zope, but this can be dealt with, for example,
_emergency_user.
Assume I make a hypothetical SSLRedirect product, modelled on CookieCrumbler.
There is no reasonable way to keep them in the same folder and make sure that
SSLRedirect gets to the REQUEST/RESPONSE before CookieCrumbler, correct?
I.e. such SSLRedirect product would have to be in a subfolder relative to
CookieCrumbler so that it gets traversed first.
Thanks in advance,
Regards,
Serguei
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )