Re: [Zope-dev] z3c.password and "failedAttempts" andSessionCredentialsPlugin
Hello, Right. Well right now the lame solution is to try to count the number of resources needed to load the page and multiply maxFailedAttempts by that number. Other than that you _will_ want to offload resources in production. (An other idea could be to try to identify requests that are not for resources, but how?) Tuesday, January 19, 2010, 12:16:38 AM, you wrote: R> Hi Jan >> Betreff: [Zope-dev] z3c.password and "failedAttempts" >> andSessionCredentialsPlugin >> >> Hi, >> >> I'm looking into integrating z3c.password into an application >> that also uses the PAU with the principal folder, >> InternalPrincipals and the SessionCredentialsPlugin. >> >> One of the features of z3c.password that I'd like to use is >> locking out an user account after a number of failed login attempts. >> z3c.password provides such a feature. >> >> However, it seems this feature does not play well with the >> SessionCredentialsPlugin: >> >> The SessionCredentials will store the login and password that >> were submitted through the login form in a session. This >> login/password combination then is checked against the >> internal principal stored in the principal folder. >> >> If the password is correct then (obviously) everything is fine. >> >> When the password is incorrect, the user is directed back to >> the login form as authentication failed. If the page with the >> login form retrieves resources (like images or css of >> javascript files) and since the zopepublication will _try_ to >> authenticate every request, the wrongful login/password >> combination is checked multiple times for that page and its >> resources against the internal principal object. >> >> The internal principal mixin of z3c.password will count the >> number of failed checks. If you tell it to lock out an user >> after, say, three failed attempts, you have a problem, as the >> number of login page resources (thus requests) will quite >> easily outnumber the maximum number of attempts. >> >> Questions: is anyone using this feature of z3c.password in >> combination with the SessionCredentialsPlugin? If this is >> working for you, do you have any idea what I am doing wrong >> here? What type of authentication are the authors of >> z3c.password using? R> Probably Adam can tell you more about that. R> One solution could be to offload your resources and R> deliver them from Apache or Nginx Frontend. R> Regards R> Roger Ineichen >> Thanks for any insight here. >> regards, >> jw >> >> >> >> ___ >> Zope-Dev maillist - Zope-Dev@zope.org >> https://mail.zope.org/mailman/listinfo/zope-dev >> ** No cross posts or HTML encoding! ** (Related lists - >> https://mail.zope.org/mailman/listinfo/zope-announce >> https://mail.zope.org/mailman/listinfo/zope ) >> R> ___ R> Zope-Dev maillist - Zope-Dev@zope.org R> https://mail.zope.org/mailman/listinfo/zope-dev R> ** No cross posts or HTML encoding! ** R> (Related lists - R> https://mail.zope.org/mailman/listinfo/zope-announce R> https://mail.zope.org/mailman/listinfo/zope ) -- Best regards, Adam GROSZERmailto:agros...@gmail.com -- Quote of the day: This is a good time to punt work. ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] z3c.password and "failedAttempts" andSessionCredentialsPlugin
"Roger" wrote: >> Betreff: [Zope-dev] z3c.password and "failedAttempts" >> andSessionCredentialsPlugin >> >> I'm looking into integrating z3c.password into an application >> that also uses the PAU with the principal folder, >> InternalPrincipals and the SessionCredentialsPlugin. >> >> One of the features of z3c.password that I'd like to use is >> locking out an user account after a number of failed login attempts. >> z3c.password provides such a feature. >> >> However, it seems this feature does not play well with the >> SessionCredentialsPlugin: >> >> The SessionCredentials will store the login and password that >> were submitted through the login form in a session. This >> login/password combination then is checked against the >> internal principal stored in the principal folder. >> >> If the password is correct then (obviously) everything is fine. >> >> When the password is incorrect, the user is directed back to >> the login form as authentication failed. If the page with the >> login form retrieves resources (like images or css of >> javascript files) and since the zopepublication will _try_ to >> authenticate every request, the wrongful login/password >> combination is checked multiple times for that page and its >> resources against the internal principal object. >> >> The internal principal mixin of z3c.password will count the >> number of failed checks. If you tell it to lock out an user >> after, say, three failed attempts, you have a problem, as the >> number of login page resources (thus requests) will quite >> easily outnumber the maximum number of attempts. >> >> Questions: is anyone using this feature of z3c.password in >> combination with the SessionCredentialsPlugin? If this is >> working for you, do you have any idea what I am doing wrong >> here? What type of authentication are the authors of >> z3c.password using? > > Probably Adam can tell you more about that. I hope so :-) At this point I do not see how this feature can work except with PAU's BasicAuth - or in tests, where the page's resources generally are not fetched and this the problem is not exposed... > One solution could be to offload your resources and > deliver them from Apache or Nginx Frontend. This might work for generic resources in a page, but not for, for example, images in the page or something that needed computation. It would essentially only counter the symptoms. Thanks you for your reply. regards, jw ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] [BlueBream] Request for a mailing list
On Tue, Jan 19, 2010 at 10:16 AM, Tres Seaver wrote: > Done: you are good to go. Thanks ! -- Baiju M ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] [BlueBream] Request for a mailing list
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 DonBaiju M wrote: > Hi, > BlueBream need a mailing list to co-ordinate documentation efforts. > May be the scope could be expanded later, if required. > > Can anyone point me the details about how to create it ? > I would prefer bluebr...@zope.org > And I would prefer the mailman admin user as mbaiju AT zeomega.com Done: you are good to go. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAktVORkACgkQ+gerLs4ltQ4Y7ACcC7HVN3uxzpGYs0zRQqP+iNrw oXUAnR0Pbk+d4cMkm28q46Zlzg9z8PZL =RoX4 -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] [BlueBream] Request for a mailing list
Hi, BlueBream need a mailing list to co-ordinate documentation efforts. May be the scope could be expanded later, if required. Can anyone point me the details about how to create it ? I would prefer bluebr...@zope.org And I would prefer the mailman admin user as mbaiju AT zeomega.com Regards, Baiju M ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] z3c.password and "failedAttempts" andSessionCredentialsPlugin
Hi Jan > Betreff: [Zope-dev] z3c.password and "failedAttempts" > andSessionCredentialsPlugin > > Hi, > > I'm looking into integrating z3c.password into an application > that also uses the PAU with the principal folder, > InternalPrincipals and the SessionCredentialsPlugin. > > One of the features of z3c.password that I'd like to use is > locking out an user account after a number of failed login attempts. > z3c.password provides such a feature. > > However, it seems this feature does not play well with the > SessionCredentialsPlugin: > > The SessionCredentials will store the login and password that > were submitted through the login form in a session. This > login/password combination then is checked against the > internal principal stored in the principal folder. > > If the password is correct then (obviously) everything is fine. > > When the password is incorrect, the user is directed back to > the login form as authentication failed. If the page with the > login form retrieves resources (like images or css of > javascript files) and since the zopepublication will _try_ to > authenticate every request, the wrongful login/password > combination is checked multiple times for that page and its > resources against the internal principal object. > > The internal principal mixin of z3c.password will count the > number of failed checks. If you tell it to lock out an user > after, say, three failed attempts, you have a problem, as the > number of login page resources (thus requests) will quite > easily outnumber the maximum number of attempts. > > Questions: is anyone using this feature of z3c.password in > combination with the SessionCredentialsPlugin? If this is > working for you, do you have any idea what I am doing wrong > here? What type of authentication are the authors of > z3c.password using? Probably Adam can tell you more about that. One solution could be to offload your resources and deliver them from Apache or Nginx Frontend. Regards Roger Ineichen > Thanks for any insight here. > regards, > jw > > > > ___ > Zope-Dev maillist - Zope-Dev@zope.org > https://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope ) > ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] z3c.password and "failedAttempts" and SessionCredentialsPlugin
Hi, I'm looking into integrating z3c.password into an application that also uses the PAU with the principal folder, InternalPrincipals and the SessionCredentialsPlugin. One of the features of z3c.password that I'd like to use is locking out an user account after a number of failed login attempts. z3c.password provides such a feature. However, it seems this feature does not play well with the SessionCredentialsPlugin: The SessionCredentials will store the login and password that were submitted through the login form in a session. This login/password combination then is checked against the internal principal stored in the principal folder. If the password is correct then (obviously) everything is fine. When the password is incorrect, the user is directed back to the login form as authentication failed. If the page with the login form retrieves resources (like images or css of javascript files) and since the zopepublication will _try_ to authenticate every request, the wrongful login/password combination is checked multiple times for that page and its resources against the internal principal object. The internal principal mixin of z3c.password will count the number of failed checks. If you tell it to lock out an user after, say, three failed attempts, you have a problem, as the number of login page resources (thus requests) will quite easily outnumber the maximum number of attempts. Questions: is anyone using this feature of z3c.password in combination with the SessionCredentialsPlugin? If this is working for you, do you have any idea what I am doing wrong here? What type of authentication are the authors of z3c.password using? Thanks for any insight here. regards, jw ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Zope Tests: 6 OK
Summary of messages to the zope-tests list. Period Sun Jan 17 12:00:00 2010 UTC to Mon Jan 18 12:00:00 2010 UTC. There were 6 messages: 6 from Zope Tests. Tests passed OK --- Subject: OK : Zope-2.10 Python-2.4.6 : Linux From: Zope Tests Date: Sun Jan 17 20:36:31 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-January/013401.html Subject: OK : Zope-2.11 Python-2.4.6 : Linux From: Zope Tests Date: Sun Jan 17 20:38:31 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-January/013402.html Subject: OK : Zope-2.12 Python-2.6.4 : Linux From: Zope Tests Date: Sun Jan 17 20:40:31 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-January/013403.html Subject: OK : Zope-2.12-alltests Python-2.6.4 : Linux From: Zope Tests Date: Sun Jan 17 20:42:31 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-January/013404.html Subject: OK : Zope-trunk Python-2.6.4 : Linux From: Zope Tests Date: Sun Jan 17 20:44:31 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-January/013405.html Subject: OK : Zope-trunk-alltests Python-2.6.4 : Linux From: Zope Tests Date: Sun Jan 17 20:46:31 EST 2010 URL: http://mail.zope.org/pipermail/zope-tests/2010-January/013406.html ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
