Cyrille Bonnet wrote at 2006-3-30 14:43 +1200: > ... >I did find Dieter Mauer's DigestAuth product: >http://www.dieter.handshake.de/pyprojects/zope/#DigestAuth > >It looks good. I have used other produts from Dieter before and was very >pleased with the quality of his code. > >Now, have other people used it? Does it work with WebDAV?
It should work with WebDAV, provided the WebDAV client supports HTTP Digest Authentication. >How secure is >it (I am no security/encryption expert)? The corresponding RFC (RFC 2617) explains in detail how secure the basic mechanism is. My "DigestAuth DigestAuthCrumber" adds a bit of insecurity: * the passwords must be stored (inside Zope (!) not in the request) in plain text. This could be improved a bit, either by - using two way encryption -- but Zope must be able to get the plain text password back. - fixing the domain and using storing the "MD5" hash of username, password and domain instead of the plain text password. Other authentication schemes would then need to be changed -- to use the same "MD5" hash. >Also, if it is good, why is not part of default Zope?? There are two sides of an answer: the Zope developpers/maintainers side and my side. Adding even a good package to the core means a (rather) long term commitment to support and maintain this package. When you follow "comp.lang.python" (or the corresponding mailing list), you see how reluctant the Python developpers are to include additional packages into the Python core -- to avoid these responsibilities. The Zope maintainers are even stricter: they look what they can get rid of rather than what they can include.... On my side: developping for the Zope core imposes much more overhead than developping independently: I would have to make a proposal, follow (partially stupid) style guides, add more tests (than necessary to convince me that the quality is sufficient)... Thus, I am reluctant to develop for the Zope core. -- Dieter _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )