thanks for your response. It helps a lot.
It looks like DigestAuth is a step in the right direction, but needs
more work to be completely secure.
I'll get back to my client and see where they want to go from here.
Thx for your help.
Dieter Maurer wrote:
Cyrille Bonnet wrote at 2006-3-30 14:43 +1200:
I did find Dieter Mauer's DigestAuth product:
It looks good. I have used other produts from Dieter before and was very
pleased with the quality of his code.
Now, have other people used it? Does it work with WebDAV?
It should work with WebDAV, provided the WebDAV client supports
HTTP Digest Authentication.
How secure is
it (I am no security/encryption expert)?
The corresponding RFC (RFC 2617) explains in detail how
secure the basic mechanism is.
My "DigestAuth DigestAuthCrumber" adds a bit of insecurity:
* the passwords must be stored (inside Zope (!) not in the request)
in plain text.
This could be improved a bit, either by
- using two way encryption -- but Zope must be able to get
the plain text password back.
- fixing the domain and using storing the "MD5" hash
of username, password and domain instead of the
plain text password.
Other authentication schemes would then need to
be changed -- to use the same "MD5" hash.
Also, if it is good, why is not part of default Zope??
There are two sides of an answer: the Zope developpers/maintainers side
and my side.
Adding even a good package to the core means a (rather) long term
commitment to support and maintain this package. When you
follow "comp.lang.python" (or the corresponding mailing list),
you see how reluctant the Python developpers are to include
additional packages into the Python core -- to avoid these
responsibilities. The Zope maintainers are even stricter: they
look what they can get rid of rather than what they can include....
On my side: developping for the Zope core imposes much more overhead
than developping independently: I would have to make a proposal,
follow (partially stupid) style guides, add more tests (than
necessary to convince me that the quality is sufficient)...
Thus, I am reluctant to develop for the Zope core.
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -