Philipp von Weitershausen wrote:
Simon Hang wrote:
I'm trying to use apache as zope3's frontend, and do NTLM authentication
Well, traditionally it's been part of Zope's responsibility to do
credentials extraction and user authentication. That doesn't mean it
couldn't be done by the webserver in front of Zope; there might just be
other implications that you and I can't think of ;).
1. Installed mod_ntlm for apache 1.3, and tested.
2. Create a VirtualHost for zope3 instance, forwarding http request
using rewrite engine. And tested.
Now I try to put things together => A virtualhost can do NTLM
authentication and forward request to zope3, my virtual configration of
apache as below:
CustomLog logs/myaccess.log common
Everytime I try to access the page, the brower show me error message as
This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g., bad
password), or your browser doesn't understand how to supply the
What's wrong in my settings?
Well, Zope 3 doesn't care that Apache has authenticated your user. It
doesn't see that. If you want the Zope 3 security system to interact
with Apache's, here's a suggestion (not sure if it'll actually work):
- Have Apache forward the REMOTE_USER CGI env variable, e.g. by using
the "E" flag at the end of rewrite rule:
Will that really work? env variables are only useful in CGI mode, but
proxying doesn't involve CGI. Rather I'd advise using additional
parameters to the URL, like we do here for Zope 2 for instance:
- Have a custom ICredentialsPlugin that's simply looks at this env
variable in the request for the log-in credentials. To challenge the
user for authentication, it would simply use the same authentication
realm as set in the apache.conf, so that it gets picked up by Apache
when the user provides the credentials.
And this plugin would have to get the credentials from the URL instead
of the env variable. I wish apache had a proper way to add request
headers during proxying...
- Have a custom IAuthenticatorPlugin that uses the credential data of
the former plug-in to create a principal object from it. It wouldn't
really need to do any actual authentication because that had already
been done by Apache. The only thing this plug-in needs to do is convert
the credentials data into an actual principal object.
Hope that helps.
Florent Guillaume, Nuxeo (Paris, France) Director of R&D
+33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED]
Zope3-users mailing list