[Zope] Realization about Apace and zope

Peter Sabaini sabaini@niil.at
Thu, 30 Sep 1999 18:59:32 +0200 (CEST) 

besides using rewrite rules there is another method mentioned in
docs/WEBSERVER.TXT -- compiling apache with

-DSECURITY_HOLE_PASS_AUTHORIZATION

apache apparently will then pass authorization info to cgi's

on my developing machine i needed to do this because i had some
rewrite rules/script aliases somehow conflicting with each other

does anybody know of the security implications of this?

thx,
peter.

On Thu, 30 Sep 1999, Martijn Faassen wrote:

:Alwyn Schoeman wrote:
:> 
:> Hi,
:> 
:> I've had tremendous trouble getting it to work on Apache. Did the
:> rewrite rules. Did the rewritelog.  Checked out the tips for beginners.
:> All documents say you must go: http://localhost/cgi-bin/Zope.cgi/manage,
:> but it doesn't work. Authentication fails.
:> 
:> THEN just to be funny I tried http://localhost/Zope/manage and
:> viola!!!!!  Why is this not somewhere in a doc or is it so stupid that
:> no one is willing to write it down?
:
:I suppose this hasn't been written down clearly as I've seen two people
:previously who had the same misconception.
:
:What are the reasons for the rewrite_rule?
:
:* making a nicer URL; /Zope or whatever instead of /cgi-bin/Zope.cgi
:
:* passing authentication information to Zope.cgi
:
:The second reason is the essential one! Apache apparently does not pass
:on authentication information to any cgi script. Zope needs this
:authentication information to work. So we fool apache with a
:rewrite_rule, which, when activated, passes the authentication
:information on to Zope.cgi using an environment variable (the e= thing
:in the rewrite rule). So, if you call Zope.cgi so that the rewrite_rule
:is activated, the authentication info is passed, and Zope works. The
:rewrite_rule is only activated if you actually trigger it with the
:/Zope/ thing, which is what after all it wants to rewrite. It does not
:get triggered if you go to the cgi directly.
:
:Someone ought to write this down somewhere very clearly in the install
:documents. It *is* in the docs because this is how I know myself, but
:apparently not too clearly.
:
:Regards,
:
:Martijn
:
:_______________________________________________
:Zope maillist  -  Zope@zope.org
:http://www.zope.org/mailman/listinfo/zope
:
:(Related lists - please, no cross posts or HTML encoding!
:
:To receive general Zope announcements, see:
:http://www.zope.org/mailman/listinfo/zope-announce
:
:For developer-specific issues, zope-dev@zope.org -
:http://www.zope.org/mailman/listinfo/zope-dev )
:

-- 

_________________________________________________
peter sabaini, mailto: sabaini@niil.at
-------------------------------------------------