Hi Michael, michael nt milne wrote: > I've implemented what's outlined in the make private site > documentation and it works fine on Plone 2.1.1. No content is available > apart from the site-map page (doesn't list content) and the contact form > but I can figure that out separately. >
Since neither of those counts as "content" as such, I think that that is legitimate and as you say, you can work around those if it matters to you (In cases where I've wanted to work around such things, I've simply called a script that redirects with an error message if the the appropriate conditions aren't met. > Yes I think I like the HTML login page way to authenticate. It feels > more usable. And I don't think I'll use an Apache login box at all. Most > users will find it hard remembering one password and with cookie > authentication over SSL you can go straight into the site. Brilliant. > Agreed. Apache does a great job of managing the SSL, securing the data over public wires, but that's a 100% generic task whereas the authentication is tightly bound to your application. It's worth bearing in mind that those credentials are passed over the wire with every page, so you need your sessions to /stay/ in SSL mode once authenticated. > I'm revisting some of the points made in this thread though about > security. It does seem that Zope and Plone as you say, are at odds on this. > Because Zope is an application server, it has to expose it's mechanism - Plone has an easier job because it has a specific task to do (e.g. manage content), and so can take an approach which is much simpler to fly. In Plone, always do things the Plone way - working at the Zope level may potentially subvert Plone's mechanisms for achieving things. -- Regards, PhilK Email: [EMAIL PROTECTED] PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518 "You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )