Does the 2.7 edition of the zope book that I can find on plope.org cover security as handled by PAS?

C

********************************
Cris Ewing
CME and Telehealth Web Services
Department of Radiology Web Services
University of Washington
School of Medicine
Work Phone: (206) 685-9116
Home Phone: (206) 365-3413
E-mail: [EMAIL PROTECTED]
*******************************


On Thu, 16 Nov 2006, Maciej Wisniowski wrote:

I have been able to log in to my zope instance via
localhost:8080/manage, and when I've added the 'access' file with my
username, a colon, and a newline, no password is required to login.  So
I think the 'RemoteUserAuth' plugin described at the above site is
working correctly.
I don't know this kind of SSO. Seems to be complicated.
CACSiteRoot and RemoteUserAuth I don't know any of these... Think it
will be difficult to help you until there is somebody that used those
things, but maybe I'm wrong :)

I don't fully grasp the way that user authentication works in zope.  I'm
not sure where to begin to look for the problem here, and I'm hoping
someone can help.
You may read about Zope Security system on plope.org in Zope Book 2.7
edition.

You may want to take look at error_log, and maybe remove unauthorized
from the list of omited exceptions there. Additionally you may want to
enable VerboseSecurity in zope.conf. AFAIR you need to uncomment:

SecurityPolicyImplementation Python
VerboseSecurity On

Maybe then you'll see more informations.


And how to debug zope part of authentication... You may possibly take a
look at the sources of RemoteUserAuth. It is possibly something with
that. Simplest debugging may be done by adding

print 'hello - im here!'

statements to the RemoteUserAuth code, and then running Zope with
./runzope (or runzope.bat on Windows). It doesn't detach from console
and you'll see your printed statements. You may also use pdb - python
debugger:

http://plone.org/documentation/how-to/using-pdb



However, when I try to access the ZMI via apache
(http://myhost.com/manage which gets rewritten to
http://localhost:8080/manage in apache proxy), I am prompted via basic
auth for username and password, and anything I enter is rejected.
Typically apache rewrites make use of VirtualHostMonster in Zope
but your's how to uses different syntax.


The expected behavior is that mod_fba sets an authorization header with
a username from pubcookie and sends it to zope with a page request for
the ZMI.
I don't understand why this SSO is about ZMI? ZMI is Zope Management
Interface - so it is rather for managers/programmers, not for typical
users. Strange.

We've sucessfully implemented SSO solution with CAS. There are nice
plugins for Zope and Plone to deal with this.

--
Maciej Wisniowski



_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to