[Zope3-Users] Re: NTLM credential plugin

Simon Hang hangzhiyun at gmail.com
Fri Sep 15 02:16:20 EDT 2006


Hi,

Why zope3 can not maintain active connections? Is this because zope3 is
using asynchronous socket(asyncore.py) to serve the request?
Errr... why zope3 is doing this? Won't this method cause overhead?

Sorry for lots of questions, but I don't understand.

Thanks,
Simon


On 9/13/06, Gary Poster <gary at zope.com> wrote:
>
>
> On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:
>
> > Simon Hang wrote:
> >> Hi,
> >>  I'm thinging to write a NTLM credential plugin for zope3. But as
> >> I know, ntlm use 4-way handshake procedure, that means it needs
> >> two round-trips between server(zope3) and client(browser).
> >>  When I look in the credential plugins, it has challenge mothed.
> >> But seems it is only design for 1 round-trip protocol. It can
> >> issue one challenge, and return to parent script.
> >
> > I don't see how the PAU only allows one "round-trip".
>
> AIUI (I just looked up NTLM last night out of curiosity: see http://
> www.innovation.ch/personal/ronald/ntlm.html), the problem is that the
> 4 way handshake has to happen *within a single connection*.
> Apparently MS abuses HTTP to perform this.  Implementing it in
> pluggable auth made me scratch my head a bit, so I didn't reply.  You
> would need to slurp the request, then push back to the response, then
> slurp the same request again, then push back to the response, then
> slurp one more time, and finally reply with the real request.
> Describing the problem to Benji, he mentioned WSGI--that does seem
> like the only way I can imagine this working, and that would be
> tricky enough, especially if you needed to reach into Zope for the
> managed credentials.  Once the WSGI plugin did its magic, it would
> need to put something in the WSGI request that a pluggable auth
> plugin was willing to accept as authentication.
>
> On the bright side, if you did this with WSGI you might be able to
> offer this as a generic Python WSGI NTLM tool that required only
> minimal integration with the back end app server.
>
> I'm glad I'm not tasked with this. :-D  It sounds interesting,
> though.  Also, maybe I misunderstand: read the link if you want to
> come up with your own interpretation.
>
> Gary
> _______________________________________________
> Zope3-users mailing list
> Zope3-users at zope.org
> http://mail.zope.org/mailman/listinfo/zope3-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope3-users/attachments/20060915/db6eb3a6/attachment.htm


More information about the Zope3-users mailing list