Re: [Zope-PAS] Domainauth

2006-06-22 Thread Zachery Bir

On Jun 22, 2006, at 3:25 AM, Janko Hauser wrote:

Hello, I'm trying to setup a domain based authentication. The  
situation is, that there is already a cookie-based authentication.  
Additionally we want to enable a direct login for some specific  
domains. Is this at all possible? I added a Domain Auth Plugin and  
activated it as the authentication plugin. Then I changed the order  
for this interface, so that Domain Auth is on top. But a request  
from such a domain get's an unauthorized and is redirected to the  
normal login page.

Is there something more needed? I tried with the exact IP and with  
an endswith match for the domain name.

What do I miss?

(It's been a long time since the DomainAuthHelper was created,  
forgive me if I'm slow)

Are you using mod_rewrite by any chance? You may need to turn on X- 
Forwarded-For (I forget the exact header), since in the default case,  
REMOTE_HOST is usually the Apache instance in such a setup.


Zope-PAS mailing list

Re: [Zope-PAS] Domainauth

2006-06-22 Thread Janko Hauser

Am 22.06.2006 um 13:48 schrieb Zachery Bir:

Woops. Like I said, too long since I played in it. It runs  
request.getClientAddr(), which does take HTTP_X_FORWARDED_FOR, but  
only if the default REMOTE_ADDR is in an attribute called  
`trusted_proxies`. From lib/python/ZPublisher/ (in  
some 2.7 branch):

  # The trusted_proxies configuration setting contains a sequence
  # of front-end proxies that are trusted to supply an accurate
  # X_FORWARDED_FOR header. If REMOTE_ADDR is one of the values in  
this list
  # and it has set an X_FORWARDED_FOR header, ZPublisher copies  
  # into X_FORWARDED_BY, and the last element of the  

  # into REMOTE_ADDR. X_FORWARDED_FOR is left unchanged.
  # The ZConfig machinery may sets this attribute on initialization
  # if any trusted-proxies are defined in the configuration file.

  trusted_proxies = []

(again, this is all if you're using mod_rewrite and  

Thank you Zac, yes I'm using mod_rewrite and VHM. I added the trusty- 
proxy directive into etc/zope.conf, but this seems to not work. But  
on further on this route I added a patch from Dieter Maurer to  
SiteAccess/VHM and I have now the right REMOTE_ADDR in the request.  
But no access to secured pages :-)

Another thing I noticed it, that I see that a user authenticated by  
the cookie-login runs through the code of domain_auth. And the cookie- 
plugin is used for credential extraction. As far as I understand, the  
actual authentication is done later. So if the cookie-plugin does not  
found an appropriate cookie it redirects to the login-page and the  
domain_auth plugin is never used?

With regards and thanks for the help,


Janko Hauser  email:  [EMAIL PROTECTED]
  mobile: +49 1721 641552

Description: Signierter Teil der Nachricht
Zope-PAS mailing list

Re: [Zope-PAS] Re: Domainauth

2006-06-22 Thread Janko Hauser

Am 22.06.2006 um 15:39 schrieb Tres Seaver:

The sequence which creates a user object is defined in the  



Very good documentation snipped

I followed this path and found the culprit.

The cookie_auth_helper extends the credentials with the remote_addr  
only if it found something before.

# Look in the request for the names coming from the  
login form

login = request.get('__ac_name', '')
password = request.get('__ac_password', '')

if login:
creds['login'] = login
creds['password'] = password

if creds or 1: # or 1 added by jhauser
creds['remote_host'] = request.get('REMOTE_HOST', '')

creds['remote_address'] = request.getClientAddr()
except AttributeError:
creds['remote_address'] = request.get('REMOTE_ADDR',  

return creds

So actually the question is, if the test for credentials is needed at  
all at this place.

I will further look into this, but thanks to Tres and ZAC to lead me  
to this place.

With regards,


Janko Hauser  email:  [EMAIL PROTECTED]
  mobile: +49 1721 641552

Description: Signierter Teil der Nachricht
Zope-PAS mailing list