[Zope] ssl zope http/https

Dylan Reinhardt zope at dylanreinhardt.com
Tue Dec 2 10:40:20 EST 2003


On Mon, 2003-12-01 at 21:25, Joshua Newman wrote:

> I've installed SSLAbsoluteURL but it seems to demand that I use links
> of a certain format: 
> can't use: (end brackets removed for html email readers)
> A HREF="/Services/Support/Zope">Zope Support</A
> 
> but rather must use:
> 
> A HREF="<dtml-var "Services.Support.Zope" url>">Zope Support</A
> A HREF="<dtml-var "Zope" url>">Zope Support</A
> or this:
> A HREF="&dtml.url-Zope;">Zope Support</A

I haven't used that package... but at some level, you're just returning
a string with https:// in it.  The client neither knows nor cares how it
was generated.  There are plenty of ways you could wrap your hrefs in
something that checked which protocol the link should be served under.

Say, for example, you had an object called http_mode that you put at the
root of any hierarchy that needed a particular http/https value set. 
Then you could pass link hrefs to something like:

---
split_url = my_url.split(':')
split_url[0] = context.http_mode()
return ':'.join(split_url)
---

> 3. If I remove the 's' from 'https' after following one of my
> encrypted links I can still get the page unencrypted (i.e.http://...). Is
> there any way to stop this? It seems to defeat the purpose of
> encryption.

This is something that Apache's much better at, honestly.

But if you want a pure ZServer solution and had already set up those
http_mode objects used above, you could easily insert a check that will
break non-conforming requests, eg:

----
if context.REQUEST.URL.split(':')[0] != context.http_mode():
    raise RuntimeError, 'This resource may only be viewed with https'
----

HTH,

Dylan




More information about the Zope mailing list