Re: [Zope-PAS] Domainauth
Am 22.06.2006 um 13:48 schrieb Zachery Bir: Woops. Like I said, too long since I played in it. It runs request.getClientAddr(), which does take HTTP_X_FORWARDED_FOR, but only if the default REMOTE_ADDR is in an attribute called `trusted_proxies`. From lib/python/ZPublisher/HTTPRequest.py (in some 2.7 branch): # The trusted_proxies configuration setting contains a sequence # of front-end proxies that are trusted to supply an accurate # X_FORWARDED_FOR header. If REMOTE_ADDR is one of the values in this list # and it has set an X_FORWARDED_FOR header, ZPublisher copies REMOTE_ADDR # into X_FORWARDED_BY, and the last element of the X_FORWARDED_FOR list # into REMOTE_ADDR. X_FORWARDED_FOR is left unchanged. # The ZConfig machinery may sets this attribute on initialization # if any trusted-proxies are defined in the configuration file. trusted_proxies = [] (again, this is all if you're using mod_rewrite and VirtualHostMonster) Thank you Zac, yes I'm using mod_rewrite and VHM. I added the trusty- proxy directive into etc/zope.conf, but this seems to not work. But on further on this route I added a patch from Dieter Maurer to SiteAccess/VHM and I have now the right "REMOTE_ADDR" in the request. But no access to secured pages :-) Another thing I noticed it, that I see that a user authenticated by the cookie-login runs through the code of domain_auth. And the cookie- plugin is used for credential extraction. As far as I understand, the actual authentication is done later. So if the cookie-plugin does not found an appropriate cookie it redirects to the login-page and the domain_auth plugin is never used? With regards and thanks for the help, __Janko -- Janko Hauser email: [EMAIL PROTECTED] mobile: +49 1721 641552 PGP.sig Description: Signierter Teil der Nachricht ___ Zope-PAS mailing list Zope-PAS@zope.org http://mail.zope.org/mailman/listinfo/zope-pas
Re: [Zope-PAS] Domainauth
On Jun 22, 2006, at 7:43 AM, Zachery Bir wrote: On Jun 22, 2006, at 3:25 AM, Janko Hauser wrote: Hello, I'm trying to setup a domain based authentication. The situation is, that there is already a cookie-based authentication. Additionally we want to enable a direct login for some specific domains. Is this at all possible? I added a Domain Auth Plugin and activated it as the authentication plugin. Then I changed the order for this interface, so that "Domain Auth" is on top. But a request from such a domain get's an unauthorized and is redirected to the normal login page. Is there something more needed? I tried with the exact IP and with an endswith match for the domain name. What do I miss? (It's been a long time since the DomainAuthHelper was created, forgive me if I'm slow) Are you using mod_rewrite by any chance? You may need to turn on X- Forwarded-For (I forget the exact header), since in the default case, REMOTE_HOST is usually the Apache instance in such a setup. Woops. Like I said, too long since I played in it. It runs request.getClientAddr(), which does take HTTP_X_FORWARDED_FOR, but only if the default REMOTE_ADDR is in an attribute called `trusted_proxies`. From lib/python/ZPublisher/HTTPRequest.py (in some 2.7 branch): # The trusted_proxies configuration setting contains a sequence # of front-end proxies that are trusted to supply an accurate # X_FORWARDED_FOR header. If REMOTE_ADDR is one of the values in this list # and it has set an X_FORWARDED_FOR header, ZPublisher copies REMOTE_ADDR # into X_FORWARDED_BY, and the last element of the X_FORWARDED_FOR list # into REMOTE_ADDR. X_FORWARDED_FOR is left unchanged. # The ZConfig machinery may sets this attribute on initialization # if any trusted-proxies are defined in the configuration file. trusted_proxies = [] (again, this is all if you're using mod_rewrite and VirtualHostMonster) Zac ___ Zope-PAS mailing list Zope-PAS@zope.org http://mail.zope.org/mailman/listinfo/zope-pas
Re: [Zope-PAS] Domainauth
On Jun 22, 2006, at 3:25 AM, Janko Hauser wrote: Hello, I'm trying to setup a domain based authentication. The situation is, that there is already a cookie-based authentication. Additionally we want to enable a direct login for some specific domains. Is this at all possible? I added a Domain Auth Plugin and activated it as the authentication plugin. Then I changed the order for this interface, so that "Domain Auth" is on top. But a request from such a domain get's an unauthorized and is redirected to the normal login page. Is there something more needed? I tried with the exact IP and with an endswith match for the domain name. What do I miss? (It's been a long time since the DomainAuthHelper was created, forgive me if I'm slow) Are you using mod_rewrite by any chance? You may need to turn on X- Forwarded-For (I forget the exact header), since in the default case, REMOTE_HOST is usually the Apache instance in such a setup. Zac ___ Zope-PAS mailing list Zope-PAS@zope.org http://mail.zope.org/mailman/listinfo/zope-pas