I have read all the various documents and howtos regarding setting zope with 
apache and SSL, and I set it up. I have two virtual servers, http and https, 
serving the same hierarchy of zope objects. I would llike to secure passwords 
by using SSL.

It is suggested everywhere I read that the protection should be done with 
RewriteRule or similar, by filtering urls. For example, I use RewriteRule 
match like ^manage(.*) and another to see if the protocol is insecure to 
redirect such requests to the same URL, but over https. Else, I can use 
solutions like SSLAbsoluteURL to adjust behavior of absolute_url()

This, however, seems unsatisfactory. RewriteRules or url base manipulation 
cannot guarantee that the site visitor would not run into a protected object. 
In this case, the server returns "Unauthorized" response, the browser pops up 
the basic http authorisation dialog and login/password travel in the open.

Looking at the CookieCrumbler product, I realise that before anything gets 
published it "highjacks" the RESPONSE object and manipulates it, including 
removing "Unauthorized" and redirecting to a login form.

I hope somebody has time to answer two questions:

How legitimate would it be to do the same, but to make external redirect via 
https? I understand that this might mean a lot of nasty things, including 
being locked out of Zope, but this can be dealt with, for example, 

Assume I make a hypothetical SSLRedirect product, modelled on CookieCrumbler. 
There is no reasonable way to keep them in the same folder and make sure that 
SSLRedirect gets to the REQUEST/RESPONSE before CookieCrumbler, correct?
I.e. such SSLRedirect product would have to be in a subfolder relative to 
CookieCrumbler so that it gets traversed first.

Thanks in advance,



Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to