The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

Python Buzz Forum
ZServerSSL X509_REMOTE_USER

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Ng Pheng Siong

Posts: 410
Nickname: ngps
Registered: Apr, 2004

Ng Pheng Siong is just another guy with a website.
ZServerSSL X509_REMOTE_USER Posted: Nov 26, 2004 2:27 PM
Reply to this message Reply

This post originated from an RSS feed registered with Python Buzz by Ng Pheng Siong.
Original Post: ZServerSSL X509_REMOTE_USER
Feed Title: (render-blog Ng Pheng Siong)
Feed URL: http://sandbox.rulemaker.net/ngps/rdf10_xml
Feed Description: Just another this here thing blog. 		Latest Python Buzz Posts
Latest Python Buzz Posts by Ng Pheng Siong
Latest Posts From (render-blog Ng Pheng Siong)

Advertisement

Zope is commonly run behind another HTTP server, e.g., Apache or IIS. Zope's standard authentication mechanism is HTTP Basic Authentication. Quoting Zope 2's doc/WEBSERVER.txt, "Sometimes you may prefer to handle authentication outside Zope, for example if your web server already does complex authorization [...]" This is done via CGI's REMOTE_USER request meta-variable, i.e., the web server authenticates the client, sets REMOTE_USER appropriately, and Zope uses that value to handle permissions for those authenticated users.

Dylan Jay extracted Zope's REMOTE_USER code to create RemoteUserFolder. As Dylan describes, "An example of how this might be useful is the use of IIS internal windows authentication. IIS can be set to handle authentication of users against their current windows domain login, thus not requiring any further login to the website. With RemoteUserFolder installed, any user with a domain login will be automatically be a Zope authenticated user. In addition with RemoteUserFolder it is possible to set a default set of roles for any user of a particular NT domain."

ZServerSSL's X509_REMOTE_USER mode integrates X.509 client certificates and RemoteUserFolder: Run Zope in REMOTE_USER mode and configure ZServerSSL's HTTPS server to require client X.509 certificates. When a user connects, ZServerSSL handles certificate verification and sets REMOTE_USER to the client certificate's subject distinguished name if the client certificate is accepted. In this case, the user names in the RemoteUserFolder are structured strings such as /C=SG/O=M2Crypto/CN=M2Crypto Client. (But still strings!)

Just in case I'm being unclear: In X509_REMOTE_USER mode ZServerSSL is handling the authentication; there is no external web server.

(A bit of history: Back in 2000 when X509_REMOTE_USER mode was first released (scroll to the end of the linked page), RemoteUserFolder didn't exist. At that time I wrote a simple workalike tool that mapped the subject distinguished name to a Zope username; this program is <m2crypto>/demo/Zope/utilities/x509_user.py.)

Read: ZServerSSL X509_REMOTE_USER

Topic: Weapons and Coding Previous Topic   Next Topic Topic: Guido's 10-line Python Scripts
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use