Florent Guillaume wrote:
>> Well, Zope 3 doesn't care that Apache has authenticated your user. It
>> doesn't see that. If you want the Zope 3 security system to interact
>> with Apache's, here's a suggestion (not sure if it'll actually work):
>>
>> - Have Apache forward the REMOTE_USER CGI env variable, e.g. by using
>> the "E" flag at the end of rewrite rule:
>>
>>   [P,L,E=REMOTE_USER:%{REMOTE_USER}]
> 
> 
> Will that really work? env variables are only useful in CGI mode, but
> proxying doesn't involve CGI. Rather I'd advise using additional
> parameters to the URL, like we do here for Zope 2 for instance:
> 
> http://svn.nuxeo.org/trac/pub/file/CMFNtlmSso/trunk/doc/vhost_sso.conf

Ah, yes. I thought of this initially but found the env way to be
cleaner, simply assuming that mod_rewrite would pass the current env
along on the proxy request. It seems it doesn't.

Good example config, by the way.

>> - Have a custom ICredentialsPlugin that's simply looks at this env
>> variable in the request for the log-in credentials. To challenge the
>> user for authentication, it would simply use the same authentication
>> realm as set in the apache.conf, so that it gets picked up by Apache
>> when the user provides the credentials.
> 
> 
> And this plugin would have to get the credentials from the URL instead
> of the env variable. I wish apache had a proper way to add request
> headers during proxying...

Yup and yup.

Philipp
_______________________________________________
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

Reply via email to