On 7 Feb 2006, at 23:58, michael nt milne wrote:
Also, just to say that I did a test on only letting authenticated
and managers view the root page of the site over ssl. If you just
cancelled the login box or closed it, the whole front page was
displayed without any css but you could still get all the content.
I've had this quite a bit before so that's why I'm looking into
Apache authentication. I just don't think that Zope authentication
is secure.
As someone else has already mentioned, there is zero difference when
it comes to "how secure" the login procedure is. It doesn't matter
how you set up authentication if you haven't applied the proper
permission settings in Zope to prevent showing that front page
content you mentioned earlier. You need to get a better idea how to
use the built-in Zope security mechanisms to achieve the security
settings you would like to see.
Using both Apache and Zope authentication will bring mostly pain.
Your strategy is wrong. Get a better understanding of what Zope can
do in that regard and then decide.
jens
_______________________________________________
Zope maillist - [email protected]
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
