[Zope-PAS] Re: [Plone-developers] Re: Plugin for
jmo at ita.chalmers.se
Mon Oct 11 09:53:42 EDT 2004
Lennart Regebro wrote:
> Tres Seaver wrote:
>> Lennart Regebro wrote:
>>> Tres Seaver wrote:
>>>> Please continue to include zope-pas at zope.org in this disucssion (in
>>>> fact, I would recommend trimming *all* the other groups out;
>>>> interested parties should be willing to move to the more focused
>>> Except, of course, it has nothing to do with Zope-PAS.
>>> But, yet, getting four of five copies of each mail is slightly
>> How could it not be about PAS? Jean-Marc is discussing the
>> implementation of a PAS plugin?
> Nah. PluggableUserFolder != PluggableAuthService. ;)
My question from the beginning was:
- is there a way to make CookieCrumbler more secure (i.e. not storing
'user:pass' in a cookie) ? I looked at SessionCrumbler but it is not
safer since the password is saved in the session, and if used with ZEO
the password will be sent unencrypted.
the KerberosIdentification plugin (v.1.2) for PluggableUserFolder is the
safest implementation I have been able to make for that matter and I had
to get rid of CookieCrumbler alltogether (I looked afterwards at
Lennart's CAS plugin for PluggableUserFolder and the implementation in
the end is the same)
What I am interested in is : how do you solve the problem of not storing
the __ac string (encoded user:pass) anywhere? either with or without
CookieCrumbler (which by the way is included by default in CMFCore) ?
With PluggableUserFolder I now know the answer, how do you do this with
PAS, or more generally with Zope?
More information about the Zope-PAS