Hi Dieter,

thanks for your response. It helps a lot.

It looks like DigestAuth is a step in the right direction, but needs more work to be completely secure.

I'll get back to my client and see where they want to go from here.

Thx for your help.



Dieter Maurer wrote:
Cyrille Bonnet wrote at 2006-3-30 14:43 +1200:

I did find Dieter Mauer's DigestAuth product: http://www.dieter.handshake.de/pyprojects/zope/#DigestAuth

It looks good. I have used other produts from Dieter before and was very pleased with the quality of his code.

Now, have other people used it? Does it work with WebDAV?

It should work with WebDAV, provided the WebDAV client supports
HTTP Digest Authentication.

How secure is it (I am no security/encryption expert)?

The corresponding RFC (RFC 2617) explains in detail how
secure the basic mechanism is.

My "DigestAuth DigestAuthCrumber" adds a bit of insecurity:

  *  the passwords must be stored (inside Zope (!) not in the request)
     in plain text.

     This could be improved a bit, either by

       - using two way encryption -- but Zope must be able to get
         the plain text password back.

       - fixing the domain and using storing the "MD5" hash
         of username, password and domain instead of the
         plain text password.

         Other authentication schemes would then need to
         be changed -- to use the same "MD5" hash.

Also, if it is good, why is not part of default Zope??

There are two sides of an answer: the Zope developpers/maintainers side
and my side.

Adding even a good package to the core means a (rather) long term
commitment to support and maintain this package. When you
follow "comp.lang.python" (or the corresponding mailing list),
you see how reluctant the Python developpers are to include
additional packages into the Python core -- to avoid these
responsibilities. The Zope maintainers are even stricter: they
look what they can get rid of rather than what they can include....

On my side: developping for the Zope core imposes much more overhead
than developping independently: I would have to make a proposal,
follow (partially stupid) style guides, add more tests (than
necessary to convince me that the quality is sufficient)...
Thus, I am reluctant to develop for the Zope core.

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to