Good news. I believe I found a way to do NTLM 4-way handshake with zope3 and using PAU's plugin. But I need to modify zope3's http server a little bit, to let zope3 support HTTP/1.1 persistent connection.

Currently I can
1. send NTLM challenge
2. receive NTLM type-1 message
3. send NTLM type-2 message
4. receive NTLM type-3 message.

Only thing to do is decode type-3 message.

My concern is I need to modify zope3's http server, althogh only add several lines. Is there anybody can validate my modifcation and implement the change in proper zope3's way?

Currently I modified zope.server.http.httptask.HTTPTask, method prepareResponseHeaders(). to let this function also check accumulated_headers before decides to close the connection. Sorry, I left the modified code in my other pc, can't post the detail.

Anybody can help?


On 9/15/06, Simon Hang <[EMAIL PROTECTED]> wrote:
Why zope3 can not maintain active connections? Is this because zope3 is using asynchronous socket( to serve the request?
Errr... why zope3 is doing this? Won't this method cause overhead?
Sorry for lots of questions, but I don't understand.

On 9/13/06, Gary Poster < [EMAIL PROTECTED]> wrote:

On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:

> Simon Hang wrote:
>> Hi,
>>  I'm thinging to write a NTLM credential plugin for zope3. But as
>> I know, ntlm use 4-way handshake procedure, that means it needs
>> two round-trips between server(zope3) and client(browser).
>>  When I look in the credential plugins, it has challenge mothed.
>> But seems it is only design for 1 round-trip protocol. It can
>> issue one challenge, and return to parent script.
> I don't see how the PAU only allows one "round-trip".

AIUI (I just looked up NTLM last night out of curiosity: see http:// ), the problem is that the
4 way handshake has to happen *within a single connection*.
Apparently MS abuses HTTP to perform this.  Implementing it in
pluggable auth made me scratch my head a bit, so I didn't reply.  You
would need to slurp the request, then push back to the response, then
slurp the same request again, then push back to the response, then
slurp one more time, and finally reply with the real request.
Describing the problem to Benji, he mentioned WSGI--that does seem
like the only way I can imagine this working, and that would be
tricky enough, especially if you needed to reach into Zope for the
managed credentials.  Once the WSGI plugin did its magic, it would
need to put something in the WSGI request that a pluggable auth
plugin was willing to accept as authentication.

On the bright side, if you did this with WSGI you might be able to
offer this as a generic Python WSGI NTLM tool that required only
minimal integration with the back end app server.

I'm glad I'm not tasked with this. :-D  It sounds interesting,
though.  Also, maybe I misunderstand: read the link if you want to
come up with your own interpretation.

Zope3-users mailing list

Zope3-users mailing list

Reply via email to