On March 13, Lennart Regebro wrote:
> 2. Protecting yourself from packet snooping:
> Zope doesn't have any encryption built-in, SSL needs external software 
> to implement fro example.
> In this sense Zope can be MADE secure with some work, but is not secure 
> at all out of the box.

Speaking of which, does anyone have any strategies for doing a
combination HTTP/HTTP-S setup, ie, where anonymous requests are HTTP,
and all authenticated requests are encrypted?

Specifically, Zope has no way of knowing beforehand that access to a
resource will throw an Unauthorized error, and when it does, it just
sends a WWW-Authenticate header, and the browser retries the request
with the supplied header.  We want to enforce that passwords are never
solicited without SSL.

One way is probably to use CookieCrumbler and hack it to rewrite
came_from so s/^http/https/.  Is there a way that doesn't require


 Adrian van den Dries                           [EMAIL PROTECTED]
 Development team                               www.dev.flow.com.au
 FLOW Communications Pty. Ltd.                  www.flow.com.au

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to