[Zope] Zope/Plone logon security strategy etc
Dieter Maurer
dieter at handshake.de
Tue Feb 28 13:10:31 EST 2006
michael nt milne wrote at 2006-2-28 15:51 +0000:
>I'm probably missing something really obvious but am wondering how you
>actually implement your product on a live plone site. I've got it installed.
>Do you just customise the login form that comes with the product and use
>that on the site?
I fear you do not understand the essence of HTTP authentication:
For any kind of HTTP authentication (whether "basic" or
"digest"), it is the browser which gathers the login
information. Therefore, you do not have a login form (you
can customize on the server). Instead, the browser uses
its login dialog (which you might customize, if you
are using e.g. Mozilla or Firefox, but is usually out of the
server's reach).
As written in the documentation on my website,
"DigestAuth" currently only contains a "DigestAuthCrumbler"
which works similar to the "CookieCrumbler".
More precisely:
It takes digest auth information, verifies it and
(if successful) presents it like basic auth information
to the remaining parts of Zope.
The "CookieCrumbler" works very similar: it takes the
information from a cookie and presents it like
basic auth information to the remaining parts of Zope.
The "DigestAuthCrumbler" is a bit less transparent.
It *MUST* know the user's password in order to verify
the validity of the presented auth information (more precisely,
a special hash would be sufficient, but usual user folders
do not support such hashes). Therefore, it can only be
used together with UserFolders providing access to the
clear text password.
--
Dieter
More information about the Zope
mailing list