Philipp von Weitershausen wrote:
Simon Hang wrote:

Dear all,

I'm trying to use apache as zope3's frontend, and do NTLM authentication
as well.

Well, traditionally it's been part of Zope's responsibility to do
credentials extraction and user authentication. That doesn't mean it
couldn't be done by the webserver in front of Zope; there might just be
other implications that you and I can't think of ;).

I've done:
1. Installed mod_ntlm for apache 1.3, and tested.
2. Create a VirtualHost for zope3 instance, forwarding http request
using rewrite engine. And tested.

Now I try to put things together => A virtualhost can do NTLM
authentication and forward request to zope3, my virtual configration of
apache as below:

<VirtualHost *:808>
   DocumentRoot c:/myroot
   Servername myserver
   ErrorLog logs/myerror.log
   CustomLog logs/myaccess.log common
   RewriteEngine On
   RewriteRule ^(/?.*)
http://localhost:8080/++vh++http:myserver:808/++$1 [P,L]
   <Location "/">
       <IfModule mod_ntlm.c>
           AuthName "realm"
           AuthType NTLM
           NTLMAuth On
           NTLMAuthoritative On
           NTLMDomain mydomain
           NTLMOfferBasic Off
           NTLMBasicPreferred Off
           require valid-user

Everytime I try to access the page, the brower show me error message as

 Authorization Required

This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g., bad
password), or your browser doesn't understand how to supply the
credentials required.

What's wrong in my settings?

Well, Zope 3 doesn't care that Apache has authenticated your user. It
doesn't see that. If you want the Zope 3 security system to interact
with Apache's, here's a suggestion (not sure if it'll actually work):

- Have Apache forward the REMOTE_USER CGI env variable, e.g. by using
the "E" flag at the end of rewrite rule:


Will that really work? env variables are only useful in CGI mode, but proxying doesn't involve CGI. Rather I'd advise using additional parameters to the URL, like we do here for Zope 2 for instance:

- Have a custom ICredentialsPlugin that's simply looks at this env
variable in the request for the log-in credentials. To challenge the
user for authentication, it would simply use the same authentication
realm as set in the apache.conf, so that it gets picked up by Apache
when the user provides the credentials.

And this plugin would have to get the credentials from the URL instead of the env variable. I wish apache had a proper way to add request headers during proxying...


- Have a custom IAuthenticatorPlugin that uses the credential data of
the former plug-in to create a principal object from it. It wouldn't
really need to do any actual authentication because that had already
been done by Apache. The only thing this plug-in needs to do is convert
the credentials data into an actual principal object.

Hope that helps.


Florent Guillaume, Nuxeo (Paris, France)   Director of R&D
+33 1 40 33 71 59   [EMAIL PROTECTED]
Zope3-users mailing list

Reply via email to