Re: [Zope] Re: htaccess with zope/plone ?
Thanks for the help. I got some good Apache advice on the Plone list vis avis What I'd like to do is have Apache and Zope (roles, workflow) for extrasecurity over SSL. I'll re-visit the authentication issue with the help I've received. On 2/9/06, michael nt milne <[EMAIL PROTECTED]> wrote: Thanks for the help. I got some good Apache advice on the Plone list vis a vis What I'd like to do is have Apache and Zope (roles, workflow) for extra security over SSL. I'll re-visit the authentication issue with the help I've received in mind and re-check the documentation. On 2/9/06, Robert Boyd < [EMAIL PROTECTED]> wrote: On 2/7/06, michael nt milne <[EMAIL PROTECTED]> wrote:> Also Zope doesn't do SSL well and all password - login is > basically insecure!If you mean that logins without SSL are basically insecure, ok. But given your other posts, if you mean that Zope authentication issomehow inherently insecure (other than non-SSL traffic being in theclear), please consider that the problems you experienced with itdon't lead to that conclusion. I run secured Zope sites on Classified networks, and wouldn't be able to if Zope security was as broken asyou make it out to be.If you need Apache auth and then need Plone auth, and you have aquestion about configuring Apache auth, then it's appropriate to ask an Apache list. The Apache httpd docs are also very good.___Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding! **(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -- Michael -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: htaccess with zope/plone ?
On 2/7/06, michael nt milne <[EMAIL PROTECTED]> wrote: > Also Zope doesn't do SSL well and all password - login is > basically insecure! If you mean that logins without SSL are basically insecure, ok. But given your other posts, if you mean that Zope authentication is somehow inherently insecure (other than non-SSL traffic being in the clear), please consider that the problems you experienced with it don't lead to that conclusion. I run secured Zope sites on Classified networks, and wouldn't be able to if Zope security was as broken as you make it out to be. If you need Apache auth and then need Plone auth, and you have a question about configuring Apache auth, then it's appropriate to ask an Apache list. The Apache httpd docs are also very good. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: htaccess with zope/plone ?
michael nt milne schrieb: glad you've taken that on board :-) Over and out from me on this one as well. By the way using the directive is the way to password protect using Apache on non directory based virtual hosts. It works using the URL line rather than directory access. Just so you know. And that wasn't even sourced from an Apache board. A Plone list member very kindly proferred the information. But then again this isn't an Apache list is it.. Its still kinda silly to try to protect Zope resources with big fat Apache hammer ;) It kinda "works" for Root (/) and only one account, but you are lost if you want to have different users with fine grained security and zope actually knowing them. Dont work against zope. Work with it. And if something does not work as expected, you need to post _all_ the gory details of your configuration and what you really did. If you cant remember, start over with a clean fresh Data.fs and write down all steps you took. --Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: htaccess with zope/plone ?
glad you've taken that on board :-) Over and out from me on this one as well. By the way using the directive is the way to password protect using Apache on non directory based virtual hosts. It works using the URL line rather than directory access. Just so you know. And that wasn't even sourced from an Apache board. A Plone list member very kindly proferred the information. But then again this isn't an Apache list is it.. On 2/9/06, Chris Withers <[EMAIL PROTECTED]> wrote: michael nt milne wrote:> Sorry but can't you post in one message?That, coming from you, is pretty rich ;-)> Also, Zope does do SSL but it's not> as good as Apache.No, Zope doesn't. There are some half baked addons that sort of promise to do something like SSL, but I'd trust them as far as I can throw them,and I've never had much success trying to throw software...> And some advice - keep personal insults out of it.aye aye cap'n ;-) Chris--Simplistix - Content Management, Zope & Python Consulting- http://www.simplistix.co.uk -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: htaccess with zope/plone ?
michael nt milne wrote: Sorry but can't you post in one message? That, coming from you, is pretty rich ;-) Also, Zope does do SSL but it's not as good as Apache. No, Zope doesn't. There are some half baked addons that sort of promise to do something like SSL, but I'd trust them as far as I can throw them, and I've never had much success trying to throw software... And some advice - keep personal insults out of it. aye aye cap'n ;-) Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: htaccess with zope/plone ?
Sorry but can't you post in one message? Also, Zope does do SSL but it's not as good as Apache. And some advice - keep personal insults out of it.On 2/8/06, Chris Withers <[EMAIL PROTECTED]> wrote: michael nt milne wrote:> ok, I've gone into the security tab in the site root and set 'view' to> 'authenticated' whilst de-selecting aquire.Yay!> However, using the password that> gets me into the overall 8080/manage doesn't work. Huh? Can you provide any less information, or maybe make it a bitvaguer? ;-)> Also the front page still> comes up if you cancel the login box and the page displays without css.Then you still haven't sorted your permissions properly... > This> shouldn't happen with view set to authenticated.Then _you're_ doing something wrong, 'cos it works just fine for therest of us...Chris--Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: htaccess with zope/plone ?
michael nt milne wrote: ok, I've gone into the security tab in the site root and set 'view' to 'authenticated' whilst de-selecting aquire. Yay! However, using the password that gets me into the overall 8080/manage doesn't work. Huh? Can you provide any less information, or maybe make it a bit vaguer? ;-) Also the front page still comes up if you cancel the login box and the page displays without css. Then you still haven't sorted your permissions properly... This shouldn't happen with view set to authenticated. Then _you're_ doing something wrong, 'cos it works just fine for the rest of us... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: htaccess with zope/plone ?
michael nt milne wrote: But if you've got Apache ssl as well then it's more secure. Yes, SSL is a transport encryption method, not an authentication method... The problem I've found is that you can't put this in the httpd.conf unless it is wrapped in a directive AuthType Basic AuthName "Members Only" AuthUserFile /path/to/.htpasswd require valid-user This is an Apache question, take it elsewhere! Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: htaccess with zope/plone ?
michael nt milne wrote: Also, just to say that I did a test on only letting authenticated and managers view the root page of the site over ssl. How? If you just cancelled the login box or closed it, the whole front page was displayed without any css but you could still get all the content. Well, then you didn't set permissions correctly... I've had this quite a bit before so that's why I'm looking into Apache authentication. I just don't think that Zope authentication is secure. You just don't think, or research, which is more your problem... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: htaccess with zope/plone ?
michael nt milne wrote: Also I'm implementing an extranet solution where extra security is required-so therefore an apache login and a further plone login for editing the site. I commented to someone asking similar questions about them being stupid, lazy or both. I don't think you're lazy ;-) Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: htaccess with zope/plone ?
michael nt milne wrote: Sorry but there's alot of Apache knowledge here and it's completely relevant. No it isn't, if you want to use Apache auth, go ask on an Apache forum. You don't, but you think you do, and you won't listen to anyone, which is annoying in its own right... Also Zope doesn't do SSL well Zope doesn't do SSL at all, there's no point. Secure transport and authentication have little to do with each other... and all password - login is basically insecure! Not if it's over SSL... I've found out that I'm best using httpd.conf and not htaccess . Also irc.freenode is unusable. Oh don't be so rediculous... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: htaccess with zope/plone ?
ok, I've gone into the security tab in the site root and set 'view' to 'authenticated' whilst de-selecting aquire. However, using the password that gets me into the overall 8080/manage doesn't work. Also the front page still comes up if you cancel the login box and the page displays without css. This shouldn't happen with view set to authenticated. On 2/8/06, Jens Vagelpohl <[EMAIL PROTECTED]> wrote: On 7 Feb 2006, at 23:58, michael nt milne wrote:> Also, just to say that I did a test on only letting authenticated> and managers view the root page of the site over ssl. If you just> cancelled the login box or closed it, the whole front page was > displayed without any css but you could still get all the content.> I've had this quite a bit before so that's why I'm looking into> Apache authentication. I just don't think that Zope authentication > is secure.As someone else has already mentioned, there is zero difference whenit comes to "how secure" the login procedure is. It doesn't matterhow you set up authentication if you haven't applied the proper permission settings in Zope to prevent showing that front pagecontent you mentioned earlier. You need to get a better idea how touse the built-in Zope security mechanisms to achieve the securitysettings you would like to see. Using both Apache and Zope authentication will bring mostly pain.Your strategy is wrong. Get a better understanding of what Zope cando in that regard and then decide.jens___ Zope maillist - Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: htaccess with zope/plone ?
On 7 Feb 2006, at 23:58, michael nt milne wrote: Also, just to say that I did a test on only letting authenticated and managers view the root page of the site over ssl. If you just cancelled the login box or closed it, the whole front page was displayed without any css but you could still get all the content. I've had this quite a bit before so that's why I'm looking into Apache authentication. I just don't think that Zope authentication is secure. As someone else has already mentioned, there is zero difference when it comes to "how secure" the login procedure is. It doesn't matter how you set up authentication if you haven't applied the proper permission settings in Zope to prevent showing that front page content you mentioned earlier. You need to get a better idea how to use the built-in Zope security mechanisms to achieve the security settings you would like to see. Using both Apache and Zope authentication will bring mostly pain. Your strategy is wrong. Get a better understanding of what Zope can do in that regard and then decide. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: htaccess with zope/plone ?
But if you've got Apache ssl as well then it's more secure.The problem I've found is that you can't put this in the httpd.conf unless it is wrapped in a directiveAuthType Basic AuthName "Members Only"AuthUserFile /path/to/.htpasswdrequire valid-userAnd the virutual host doesn't have a directory. If I were to place this in the zope root then I would password protect all the sites. I only wan't to password protect one etc. On 2/8/06, Andreas Pakulat <[EMAIL PROTECTED]> wrote: On 07.02.06 23:58:20, michael nt milne wrote:> Also, just to say that I did a test on only letting authenticated and> managers view the root page of the site over ssl. If you just cancelled the> login box or closed it, the whole front page was displayed without any css > but you could still get all the content.Then you had the proper rights somehow.> I've had this quite a bit before so that's why I'm looking into Apache> authentication. I just don't think that Zope authentication is secure. Authentication via .htpasswd uses the same HTTP method as the basiclogin into Zope. It's not more or less secure than authenticatingdirectly with Zope.Andreas--There is a 20% chance of tomorrow. ___Zope maillist - Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! **(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: htaccess with zope/plone ?
On 07.02.06 23:58:20, michael nt milne wrote: > Also, just to say that I did a test on only letting authenticated and > managers view the root page of the site over ssl. If you just cancelled the > login box or closed it, the whole front page was displayed without any css > but you could still get all the content. Then you had the proper rights somehow. > I've had this quite a bit before so that's why I'm looking into Apache > authentication. I just don't think that Zope authentication is secure. Authentication via .htpasswd uses the same HTTP method as the basic login into Zope. It's not more or less secure than authenticating directly with Zope. Andreas -- There is a 20% chance of tomorrow. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: htaccess with zope/plone ?
Also, just to say that I did a test on only letting authenticated and managers view the root page of the site over ssl. If you just cancelled the login box or closed it, the whole front page was displayed without any css but you could still get all the content. I've had this quite a bit before so that's why I'm looking into Apache authentication. I just don't think that Zope authentication is secure. On 2/7/06, michael nt milne <[EMAIL PROTECTED]> wrote: Also I'm implementing an extranet solution where extra security isrequired-so therefore an apache login and a further plone login forediting the site.On 2/7/06, michael nt milne < [EMAIL PROTECTED]> wrote:> Sorry but there's alot of Apache knowledge here and it's completely> relevant. Also Zope doesn't do SSL well and all password - login is> basically insecure! I've found out that I'm best using httpd.conf and> not htaccess . Also irc.freenode is unusable.>> On 2/7/06, Chris Withers <[EMAIL PROTECTED]> wrote:> > michael nt milne wrote: > > > I've managed to set-up SSL over Apache and Zope/Plone virtual hosts on> > > Windows but am slightly stuck on implementing the htaccess part of my> > > solution. I've done extensive googleing but can't seen to find any > solid> > > documentation.> >> > This is an Apache question, go ask on #apache on irc.freenode.net!> >> > I really don't understand why you'd use htaccess is you're already using > > Zope...> >> > cheers,> >> > Chris> >> > --> > Simplistix - Content Management, Zope & Python Consulting> > - http://www.simplistix.co.uk> >> --> Michael>--Michael-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: htaccess with zope/plone ?
Also I'm implementing an extranet solution where extra security is required-so therefore an apache login and a further plone login for editing the site. On 2/7/06, michael nt milne <[EMAIL PROTECTED]> wrote: > Sorry but there's alot of Apache knowledge here and it's completely > relevant. Also Zope doesn't do SSL well and all password - login is > basically insecure! I've found out that I'm best using httpd.conf and > not htaccess . Also irc.freenode is unusable. > > On 2/7/06, Chris Withers <[EMAIL PROTECTED]> wrote: > > michael nt milne wrote: > > > I've managed to set-up SSL over Apache and Zope/Plone virtual hosts on > > > Windows but am slightly stuck on implementing the htaccess part of my > > > solution. I've done extensive googleing but can't seen to find any > solid > > > documentation. > > > > This is an Apache question, go ask on #apache on irc.freenode.net! > > > > I really don't understand why you'd use htaccess is you're already using > > Zope... > > > > cheers, > > > > Chris > > > > -- > > Simplistix - Content Management, Zope & Python Consulting > > - http://www.simplistix.co.uk > > > > > > > -- > Michael > -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: htaccess with zope/plone ?
Sorry but there's alot of Apache knowledge here and it's completely relevant. Also Zope doesn't do SSL well and all password - login is basically insecure! I've found out that I'm best using httpd.conf and not htaccess . Also irc.freenode is unusable. On 2/7/06, Chris Withers <[EMAIL PROTECTED]> wrote: > michael nt milne wrote: > > I've managed to set-up SSL over Apache and Zope/Plone virtual hosts on > > Windows but am slightly stuck on implementing the htaccess part of my > > solution. I've done extensive googleing but can't seen to find any solid > > documentation. > > This is an Apache question, go ask on #apache on irc.freenode.net! > > I really don't understand why you'd use htaccess is you're already using > Zope... > > cheers, > > Chris > > -- > Simplistix - Content Management, Zope & Python Consulting > - http://www.simplistix.co.uk > > -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
