On 7 Feb 2006, at 23:58, michael nt milne wrote:

Also, just to say that I did a test on only letting authenticated and managers view the root page of the site over ssl. If you just cancelled the login box or closed it, the whole front page was displayed without any css but you could still get all the content. I've had this quite a bit before so that's why I'm looking into Apache authentication. I just don't think that Zope authentication is secure.

As someone else has already mentioned, there is zero difference when it comes to "how secure" the login procedure is. It doesn't matter how you set up authentication if you haven't applied the proper permission settings in Zope to prevent showing that front page content you mentioned earlier. You need to get a better idea how to use the built-in Zope security mechanisms to achieve the security settings you would like to see.

Using both Apache and Zope authentication will bring mostly pain. Your strategy is wrong. Get a better understanding of what Zope can do in that regard and then decide.


Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to