Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread Chris Withers
michael nt milne wrote: Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache location based login. Huh? I'm sure some people would love to know how those two things relate in your head... I do realise that leaving a logon cookie is

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread Chris Withers
Dario Lopez-Kästen wrote: Nevertheless, it is not simple to implement proper security with cookie-based logins. I had to make my own hacked version of SinmpleUserFodler with seesioning on the zeo server to get it secure enough (it is actually a trade off from what I would have liked to have

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread Igor Stroh
michael nt milne wrote: Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache location based login. I do realise that leaving a logon cookie is insecure and that comment was perhaps misguided. I started to think about usability etc. I'm

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread michael nt milne
Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache location based login.Huh? I'm sure some people would love to know how those two things relate in your head... I wanted to use an Apache served login box before the Zope/Plone site is served

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread Dario Lopez-Kästen
michael nt milne said the following on 2006-02-14 12:30: As for the issue with IE6 and editing pages over SSL it all works fine in Firefox 1.5, so it's a browser issue which I just can't quite fathom just now. I doubt it, my guess would still be that you're doing something wrong

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread michael nt milne
I am sure you know this, but since we have learned very little (or atleast I have - maybe I am not paying attention well enough :-): Have you modified that rule to take advantage of the SSL -server?Perhaps the SiteAccess rule is triggering adn trying to redirect you toan address/port where there

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread Chris Withers
michael nt milne wrote: cookie based. Now going with Zope/Plone auth over SSL alone with cookies set to expire. I hope you're making sure the secure bit is set on those cookies ;-) My aim is security with a good level of usability and I'll achieve that :-) Considering you can't even quote

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-13 Thread Dario Lopez-Kästen
Chris Withers said the following on 2006-02-12 15:27: Given your earlier paranoia about security uh, us security nerds^H^H^H^H^H^H folks-who-have-an-strong-interest-in-security, actually prefer to call it eagerness. Paranoia has such negative timbre, don't you think? :-) Nevertheless, it

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-12 Thread michael nt milne
ThanksIt's worth bearing in mind that those credentials are passed over thewire with every page, so you need your sessions to /stay/ in SSL modeonce authenticated.Yes, I've got the whole site going over SSL and the :8080 port re-directing to SSL. However on my main server where I have other sites

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-12 Thread Chris Withers
michael nt milne wrote: Yes I think I like the HTML login page way to authenticate. It feels more usable. And I don't think I'll use an Apache login box at all. Most users will find it hard remembering one password and with cookie authentication over SSL you can go straight into the site.

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-12 Thread Chris Withers
michael nt milne wrote: Yes, I've got the whole site going over SSL and the :8080 port re-directing to SSL. Anything not over SSL should be blocked, not redirected, given your earlier paranoia... However on my main server where I have other sites I was thinking about implementing SSL for

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-12 Thread michael nt milne
Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache location based login. I do realise that leaving a logon cookie is insecure and that comment was perhaps misguided. I started to think about usability etc. I'm going to block 8080 at the

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-11 Thread Philip Kilner
Hi, J Cameron Cooper wrote: Also, as I recall, there was a private plone site howto on plone.org; dunno what happened to it. It's still there, still works - and is very likely what Michael wants. -- Regards, PhilK Email: [EMAIL PROTECTED] PGP Public key: http://www.xfr.co.uk Voicemail

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-11 Thread Philip Kilner
Hi Again, Re. Private Plone Site Howto Philip Kilner wrote: It's still there, still works - and is very likely what Michael wants. I'm an idiot - should have checked, knowing that there was a documentation sprint last weekend. It was at: -

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-11 Thread Philip Kilner
Hi Michael, michael nt milne wrote: Yes I found that as well but picked it up from the Google cache. Strange that it is available there as it's password protected. Possibly it was public before? Yes, it was public before. Have you tried this, and does it solve your problems? JCC is spot

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-11 Thread michael nt milne
Hi Phil I've implementedwhat's outlined in the make private site documentationand it works fine on Plone 2.1.1.No content is available apart from the site-map page (doesn't list content) and the contact form but I can figure that out separately. Yes I think I like the HTML login page way to

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-11 Thread Philip Kilner
Hi Michael, michael nt milne wrote: I've implemented what's outlined in the make private site documentation and it works fine on Plone 2.1.1. No content is available apart from the site-map page (doesn't list content) and the contact form but I can figure that out separately. Since

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread michael nt milne
Well I said it was over and out but I have to respond to this latest post. I appreciate the help here and will be trying out some of the suggestions. Basically though, Zope permissions and security could be made a lot more usable. It's far too technically focused and this is the opinion of a few

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread Chris Withers
michael nt milne wrote: Well I said it was over and out but I have to respond to this latest post. You liar! Basically though, Zope permissions and security could be made a lot more usable. Cool, we look forward to your documented proposal to dev.zope.org including implemented code on a

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread Paul Winkler
Can we all stop with the public name-calling and personal insults? It's embarassing. -- Paul Winkler http://www.slinkp.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! **

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread michael nt milne
You liar! I couldn't resist :-) You seem so entertained. Bit of sport and all that.I've spoken to many people on various lists and can confirm the feeling about usability on the ZMI etc. You call them 'halfwits'. That puts you on rather high ground and this attitude is obviously part of the

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread michael nt milne
I agree. I didn't start it and I find it un-professional. I came here with a genuine issue, have received some help which I thank people for and have made some legitimate points. I find the Zope and Plone lists are generally very good and an not interested in slanging matches. ThanksMichaelOn

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread Lennart Regebro
On 2/10/06, michael nt milne [EMAIL PROTECTED] wrote: I've spoken to many people on various lists and can confirm the feeling about usability on the ZMI etc. You call them 'halfwits'. That puts you on rather high ground and this attitude is obviously part of the problem. 1. By complaining

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread Floyd May
On 2/10/06, michael nt milne [EMAIL PROTECTED] wrote: I agree. I didn't start it and I find it un-professional. I came here with a genuine issue, have received some help which I thank people for and have made some legitimate points. I find the Zope and Plone lists are generally very good and

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread michael nt milne
I take the point that I approached this issue from the wrong standpoint and apologise for that. This was perhaps born out of a little frustration. I was never rude though. Also I feel that Plone has usabillity which sits above it's prettyness. It is a well designed interface graphically but also

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread michael nt milne
Yes I've apologised for the initial tone which was the wrong way to begin and yes I agree I should have routed out more documentation. I've read Andy Mackay, Plone Live, printed out screeds of how tos, chapters of the Zope book, installed Zope on my Unix server etc so I do have a reasonable, if

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread Philip Kilner
Hi Michael, michael nt milne wrote: Also I feel that Plone has usabillity which sits above it's prettyness. It is a well designed interface graphically but also has very strong non graphical usability elements. You are correct - but you are not comparing like with like, as Plone is an

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread J Cameron Cooper
michael nt milne wrote: Well I said it was over and out but I have to respond to this latest post. I appreciate the help here and will be trying out some of the suggestions. Basically though, Zope permissions and security could be made a lot more usable. It's far too technically focused and

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread Michael Vartanyan
In the very beginning of my Zope career, I once shot myself in the foot with a very stupid thing... I kept it to myself then but if we are talking about Zope security settings and usability of the ZMI at the same time, perhaps it is an ideal place to raise this issue. If you use the famous