En/na Luca Olivetti ha escrit:

At this point zope should see an additional header REMOTE_USER (with the consequent security risk: you should make sure that nobody can directly access zope otherwise they can fake this header and pose as any user) which is available in request.environ as HTTP_REMOTE_USER.

Then it's just a matter of using PAS with the SharkbyteSSOPlugin (http://dev.plone.org/collective/browser/SharkbyteSSOPlugin) configured to use HTTP_REMOTE_USER.

I'd suggest to change

   userid = request.get(self.uservar)


   userid = request.environ.get(self.uservar)

for a little more security - not that this setup seems really secure to me anyway, but I'm not a security expert ;-)

Ok, useless suggestion, since Zope request does "the right thing":
1)it will search in the environment before searching in the form and
2)it'll strip any form variable that starts with 'HTTP_'


Luca Olivetti
Wetron Automatización S.A. http://www.wetron.es/
Tel. +34 93 5883004      Fax +34 93 5883007
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to