[Zope] PAS and SSO pubcookie question

cristopher pierson ewing cewing at u.washington.edu
Thu Nov 16 17:04:30 EST 2006


Does the 2.7 edition of the zope book that I can find on plope.org cover 
security as handled by PAS?

C

********************************
Cris Ewing
CME and Telehealth Web Services
Department of Radiology Web Services
University of Washington
School of Medicine
Work Phone: (206) 685-9116
Home Phone: (206) 365-3413
E-mail: cewing at u.washington.edu
*******************************


On Thu, 16 Nov 2006, Maciej Wisniowski wrote:

>> I have been able to log in to my zope instance via
>> localhost:8080/manage, and when I've added the 'access' file with my
>> username, a colon, and a newline, no password is required to login.  So
>> I think the 'RemoteUserAuth' plugin described at the above site is
>> working correctly.
> I don't know this kind of SSO. Seems to be complicated.
> CACSiteRoot and RemoteUserAuth I don't know any of these... Think it
> will be difficult to help you until there is somebody that used those
> things, but maybe I'm wrong :)
>
>> I don't fully grasp the way that user authentication works in zope.  I'm
>> not sure where to begin to look for the problem here, and I'm hoping
>> someone can help.
> You may read about Zope Security system on plope.org in Zope Book 2.7
> edition.
>
> You may want to take look at error_log, and maybe remove unauthorized
> from the list of omited exceptions there. Additionally you may want to
> enable VerboseSecurity in zope.conf. AFAIR you need to uncomment:
>
> SecurityPolicyImplementation Python
> VerboseSecurity On
>
> Maybe then you'll see more informations.
>
>
> And how to debug zope part of authentication... You may possibly take a
> look at the sources of RemoteUserAuth. It is possibly something with
> that. Simplest debugging may be done by adding
>
> print 'hello - im here!'
>
> statements to the RemoteUserAuth code, and then running Zope with
> ./runzope (or runzope.bat on Windows). It doesn't detach from console
> and you'll see your printed statements. You may also use pdb - python
> debugger:
>
> http://plone.org/documentation/how-to/using-pdb
>
>
>
>> However, when I try to access the ZMI via apache
>> (http://myhost.com/manage which gets rewritten to
>> http://localhost:8080/manage in apache proxy), I am prompted via basic
>> auth for username and password, and anything I enter is rejected.
> Typically apache rewrites make use of VirtualHostMonster in Zope
> but your's how to uses different syntax.
>
>
>> The expected behavior is that mod_fba sets an authorization header with
>> a username from pubcookie and sends it to zope with a page request for
>> the ZMI.
> I don't understand why this SSO is about ZMI? ZMI is Zope Management
> Interface - so it is rather for managers/programmers, not for typical
> users. Strange.
>
> We've sucessfully implemented SSO solution with CAS. There are nice
> plugins for Zope and Plone to deal with this.
>
> -- 
> Maciej Wisniowski
>
>
>


More information about the Zope mailing list