[Zope-PAS] Re: [Plone-developers] Re: Plugin for PluggableUserFolder

Jean-Marc Orliaguet jmo at ita.chalmers.se
Mon Oct 11 09:53:42 EDT 2004

Lennart Regebro wrote:

> Tres Seaver wrote:
>> Lennart Regebro wrote:
>>> Tres Seaver wrote:
>>>> Please continue to include zope-pas at zope.org in this disucssion (in 
>>>> fact, I would recommend trimming *all* the other groups out;  
>>>> interested parties should be willing to move to the more focused 
>>>> list).
>>> Except, of course, it has nothing to do with Zope-PAS.
>>> But, yet, getting four of five copies of each mail is slightly 
>>> annoying.
>> How could it not be about PAS?  Jean-Marc is discussing the 
>> implementation of a PAS plugin?
> Nah. PluggableUserFolder != PluggableAuthService. ;)


My question from the beginning was:

- is there a way to make CookieCrumbler more secure (i.e. not storing 
'user:pass' in a cookie) ? I looked at SessionCrumbler but it is not 
safer since the password is saved in the session, and if used with ZEO 
the password will be sent unencrypted.

the KerberosIdentification plugin (v.1.2) for PluggableUserFolder is the 
safest implementation I have been able to make for that matter and I had 
to get rid of CookieCrumbler alltogether (I looked afterwards at 
Lennart's CAS plugin for PluggableUserFolder and the implementation in 
the end is the same)

What I am interested in is : how do you solve the problem of not storing 
the __ac string (encoded user:pass) anywhere? either with or without 
CookieCrumbler (which by the way is included by default in CMFCore) ?

With PluggableUserFolder I now know the answer, how do you do this with 
PAS, or more generally with Zope?

Regards /JM

More information about the Zope-PAS mailing list