Thanks for the help.

I feel not comfortable to put the username in URL. User may be able to bypass the authentication and direct access zope with username in URL.

And that's true, Apache can pass environment variable via mod_rewrite. What's a pity.

Now the only solution I found is only working in Apache2 not 1.3. I can use mod_header. requestheader can add http header to request before mod_rewrite pass it to zope. I can put REMOTE_USER in http header and zope will be able to pick it up. User will still be able to bypass the check if they can use special web browser which can add http header. But at least with standard IE & Firefox, this method will be safe.

But I'm still using Apache 1.3. Above solution can't apply. :(

I'm giving up. Maybe just use some browser script to submit current username to CredentialsPlugin.
This will be easy, just write my own version of, and that will work. But it's ugly.


On 11/13/05, Philipp von Weitershausen <[EMAIL PROTECTED]> wrote:
Florent Guillaume wrote:
>> Well, Zope 3 doesn't care that Apache has authenticated your user. It
>> doesn't see that. If you want the Zope 3 security system to interact
>> with Apache's, here's a suggestion (not sure if it'll actually work):
>> - Have Apache forward the REMOTE_USER CGI env variable, e.g. by using
>> the "E" flag at the end of rewrite rule:
> Will that really work? env variables are only useful in CGI mode, but
> proxying doesn't involve CGI. Rather I'd advise using additional
> parameters to the URL, like we do here for Zope 2 for instance:

Ah, yes. I thought of this initially but found the env way to be
cleaner, simply assuming that mod_rewrite would pass the current env
along on the proxy request. It seems it doesn't.

Good example config, by the way.

>> - Have a custom ICredentialsPlugin that's simply looks at this env
>> variable in the request for the log-in credentials. To challenge the
>> user for authentication, it would simply use the same authentication
>> realm as set in the apache.conf, so that it gets picked up by Apache
>> when the user provides the credentials.
> And this plugin would have to get the credentials from the URL instead
> of the env variable. I wish apache had a proper way to add request
> headers during proxying...

Yup and yup.

Zope3-users mailing list

Zope3-users mailing list

Reply via email to