[Zope-CMF] Simple?!? Authorization Problem
Jens Vagelpohl
jens@zope.com
Thu, 13 Sep 2001 07:41:11 -0400
marc,
> It really works fine. There are just two problems. First of all, ... how
> could I prevent that people don't use the "apache-way" to get into the
> intranet,
> if they go directly to the zope server. (But I think, thats possible If I
> restrict the access to zope only from the localhost, isn't it?)
start zope with an option like -w 127.0.0.1:8080 so that zope itself only
listens on the localhost address. then change your proxy rewrite rules to
forward requests to localhost, too.
>
> The second and in my opinion the bigger problem is, if I protect the
> apache
> proxy path with a password I get access to Zope. Thats ok, but If I try to
> call the .../manage method to manage the zopeserver through apache I get
> another password check. (This time from zope). If I insert my zope admin
> password,
> I am not longer authorized to access the apache proxy. ... and so on :-(
this cannot work. both your apache and zope as you have it set up use
basic HTTP authentication. in this scheme the browser keeps username and
password and sends it to the server with every request. however, the
browser can only hold *one* username/password pair. either that for apache
or that for zope.
one solution could be to use a cookie-enabled user folder for zope so that
only apache relies on simple HTTP auth and zope gets its authentication
credentials through a cookie.
even with this setup the user will always have to provide username and
password twice, once for apache and once for zope.
jens