[Zope3-Users] Re: apache as zope3's frontend and NTLM
On Tue, Nov 15, 2005 at 11:02:06AM +, Chris Withers wrote: | Philipp von Weitershausen wrote: | >True, it's not the nicest solution. But you could make it safer by first | >stripping the according request variable from the QUERY_STRING. | >mod_rewrite is quite powerful in that respect. | | Is it just me, or should a deep feeling of uneasiness accompany the | extraction of authentication credentials from a query string? ;-) It's not just you. :-) The hole this creates is: someone makes an HTTP request directly to Zope bypassing apache altogether. This request could simply present any username desired. Some ways to limit the exposure of the hole is to have zope listen on the loopback interface only. Then prevent all shell access on the system. The only remaining hole at this point is if someone can abuse some other network-accessible service and coerce it into making the request (or to open a back door). -D -- Bugs come in through open windows. Keep Windows shut! www: http://dman13.dyndns.org/~dman/jabber: [EMAIL PROTECTED] signature.asc Description: Digital signature ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: apache as zope3's frontend and NTLM
Philipp von Weitershausen wrote: True, it's not the nicest solution. But you could make it safer by first stripping the according request variable from the QUERY_STRING. mod_rewrite is quite powerful in that respect. Is it just me, or should a deep feeling of uneasiness accompany the extraction of authentication credentials from a query string? ;-) Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: apache as zope3's frontend and NTLM
Simon Hang wrote: > Thanks for the help. > > I feel not comfortable to put the username in URL. User may be able to > bypass the authentication and direct access zope with username in URL. True, it's not the nicest solution. But you could make it safer by first stripping the according request variable from the QUERY_STRING. mod_rewrite is quite powerful in that respect. > Now the only solution I found is only working in Apache2 not 1.3. I can > use mod_header. requestheader can add http header to request before > mod_rewrite pass it to zope. I can put REMOTE_USER in http header and > zope will be able to pick it up. User will still be able to bypass the > check if they can use special web browser which can add http header. But > at least with standard IE & Firefox, this method will be safe. Here you could strip any REMOTE_USER header or request variable from the incoming request so that the REMOTE_USER that Zope sees is always the one set by Apache, or none (even if the browser client tried to supply its own one). > But I'm still using Apache 1.3. Above solution can't apply. :( Too bad, Apache 2.0 is quite nice. Philipp ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: apache as zope3's frontend and NTLM
Thanks for the help.
I feel not comfortable to put the username in URL. User may be able to
bypass the authentication and direct access zope with username in URL.
And that's true, Apache can pass environment variable via mod_rewrite. What's a pity.
Now the only solution I found is only working in Apache2 not 1.3. I can
use mod_header. requestheader can add http header to request before
mod_rewrite pass it to zope. I can put REMOTE_USER in http header and
zope will be able to pick it up. User will still be able to bypass the
check if they can use special web browser which can add http header.
But at least with standard IE & Firefox, this method will be safe.
But I'm still using Apache 1.3. Above solution can't apply. :(
I'm giving up. Maybe just use some browser script to submit current username to CredentialsPlugin.
This will be easy, just write my own version of loginform.pt, and that will work. But it's ugly.
Thanks,
Simon
On 11/13/05, Philipp von Weitershausen <[EMAIL PROTECTED]> wrote:
Florent Guillaume wrote:>> Well, Zope 3 doesn't care that Apache has authenticated your user. It>> doesn't see that. If you want the Zope 3 security system to interact>> with Apache's, here's a suggestion (not sure if it'll actually work):
- Have Apache forward the REMOTE_USER CGI env variable, e.g. by using>> the "E" flag at the end of rewrite rule: [P,L,E=REMOTE_USER:%{REMOTE_USER}]
>>> Will that really work? env variables are only useful in CGI mode, but> proxying doesn't involve CGI. Rather I'd advise using additional> parameters to the URL, like we do here for Zope 2 for instance:
>> http://svn.nuxeo.org/trac/pub/file/CMFNtlmSso/trunk/doc/vhost_sso.confAh, yes. I thought of this initially but found the env way to be
cleaner, simply assuming that mod_rewrite would pass the current envalong on the proxy request. It seems it doesn't.Good example config, by the way.>> - Have a custom ICredentialsPlugin that's simply looks at this env
>> variable in the request for the log-in credentials. To challenge the>> user for authentication, it would simply use the same authentication>> realm as set in the apache.conf, so that it gets picked up by Apache
>> when the user provides the credentials.>>> And this plugin would have to get the credentials from the URL instead> of the env variable. I wish apache had a proper way to add request
> headers during proxying...Yup and yup.Philipp___Zope3-users mailing listZope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users
[Zope3-Users] Re: apache as zope3's frontend and NTLM
Florent Guillaume wrote:
>> Well, Zope 3 doesn't care that Apache has authenticated your user. It
>> doesn't see that. If you want the Zope 3 security system to interact
>> with Apache's, here's a suggestion (not sure if it'll actually work):
>>
>> - Have Apache forward the REMOTE_USER CGI env variable, e.g. by using
>> the "E" flag at the end of rewrite rule:
>>
>> [P,L,E=REMOTE_USER:%{REMOTE_USER}]
>
>
> Will that really work? env variables are only useful in CGI mode, but
> proxying doesn't involve CGI. Rather I'd advise using additional
> parameters to the URL, like we do here for Zope 2 for instance:
>
> http://svn.nuxeo.org/trac/pub/file/CMFNtlmSso/trunk/doc/vhost_sso.conf
Ah, yes. I thought of this initially but found the env way to be
cleaner, simply assuming that mod_rewrite would pass the current env
along on the proxy request. It seems it doesn't.
Good example config, by the way.
>> - Have a custom ICredentialsPlugin that's simply looks at this env
>> variable in the request for the log-in credentials. To challenge the
>> user for authentication, it would simply use the same authentication
>> realm as set in the apache.conf, so that it gets picked up by Apache
>> when the user provides the credentials.
>
>
> And this plugin would have to get the credentials from the URL instead
> of the env variable. I wish apache had a proper way to add request
> headers during proxying...
Yup and yup.
Philipp
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users
[Zope3-Users] Re: apache as zope3's frontend and NTLM
Philipp von Weitershausen wrote:
Simon Hang wrote:
Dear all,
I'm trying to use apache as zope3's frontend, and do NTLM authentication
as well.
Well, traditionally it's been part of Zope's responsibility to do
credentials extraction and user authentication. That doesn't mean it
couldn't be done by the webserver in front of Zope; there might just be
other implications that you and I can't think of ;).
I've done:
1. Installed mod_ntlm for apache 1.3, and tested.
2. Create a VirtualHost for zope3 instance, forwarding http request
using rewrite engine. And tested.
Now I try to put things together => A virtualhost can do NTLM
authentication and forward request to zope3, my virtual configration of
apache as below:
DocumentRoot c:/myroot
Servername myserver
ErrorLog logs/myerror.log
CustomLog logs/myaccess.log common
RewriteEngine On
RewriteRule ^(/?.*)
http://localhost:8080/++vh++http:myserver:808/++$1 [P,L]
AuthName "realm"
AuthType NTLM
NTLMAuth On
NTLMAuthoritative On
NTLMDomain mydomain
NTLMOfferBasic Off
NTLMBasicPreferred Off
require valid-user
Everytime I try to access the page, the brower show me error message as
below:
Authorization Required
This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g., bad
password), or your browser doesn't understand how to supply the
credentials required.
What's wrong in my settings?
Well, Zope 3 doesn't care that Apache has authenticated your user. It
doesn't see that. If you want the Zope 3 security system to interact
with Apache's, here's a suggestion (not sure if it'll actually work):
- Have Apache forward the REMOTE_USER CGI env variable, e.g. by using
the "E" flag at the end of rewrite rule:
[P,L,E=REMOTE_USER:%{REMOTE_USER}]
Will that really work? env variables are only useful in CGI mode, but
proxying doesn't involve CGI. Rather I'd advise using additional
parameters to the URL, like we do here for Zope 2 for instance:
http://svn.nuxeo.org/trac/pub/file/CMFNtlmSso/trunk/doc/vhost_sso.conf
- Have a custom ICredentialsPlugin that's simply looks at this env
variable in the request for the log-in credentials. To challenge the
user for authentication, it would simply use the same authentication
realm as set in the apache.conf, so that it gets picked up by Apache
when the user provides the credentials.
And this plugin would have to get the credentials from the URL instead
of the env variable. I wish apache had a proper way to add request
headers during proxying...
Florent
- Have a custom IAuthenticatorPlugin that uses the credential data of
the former plug-in to create a principal object from it. It wouldn't
really need to do any actual authentication because that had already
been done by Apache. The only thing this plug-in needs to do is convert
the credentials data into an actual principal object.
Hope that helps.
Philipp
--
Florent Guillaume, Nuxeo (Paris, France) Director of R&D
+33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED]
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users
[Zope3-Users] Re: apache as zope3's frontend and NTLM
Simon Hang wrote:
> Dear all,
>
> I'm trying to use apache as zope3's frontend, and do NTLM authentication
> as well.
Well, traditionally it's been part of Zope's responsibility to do
credentials extraction and user authentication. That doesn't mean it
couldn't be done by the webserver in front of Zope; there might just be
other implications that you and I can't think of ;).
> I've done:
> 1. Installed mod_ntlm for apache 1.3, and tested.
> 2. Create a VirtualHost for zope3 instance, forwarding http request
> using rewrite engine. And tested.
>
> Now I try to put things together => A virtualhost can do NTLM
> authentication and forward request to zope3, my virtual configration of
> apache as below:
>
>
> DocumentRoot c:/myroot
> Servername myserver
> ErrorLog logs/myerror.log
> CustomLog logs/myaccess.log common
> RewriteEngine On
> RewriteRule ^(/?.*)
> http://localhost:8080/++vh++http:myserver:808/++$1 [P,L]
>
>
> AuthName "realm"
> AuthType NTLM
> NTLMAuth On
> NTLMAuthoritative On
> NTLMDomain mydomain
> NTLMOfferBasic Off
> NTLMBasicPreferred Off
> require valid-user
>
>
>
>
> Everytime I try to access the page, the brower show me error message as
> below:
>
>
> Authorization Required
>
> This server could not verify that you are authorized to access the
> document requested. Either you supplied the wrong credentials (e.g., bad
> password), or your browser doesn't understand how to supply the
> credentials required.
>
> What's wrong in my settings?
Well, Zope 3 doesn't care that Apache has authenticated your user. It
doesn't see that. If you want the Zope 3 security system to interact
with Apache's, here's a suggestion (not sure if it'll actually work):
- Have Apache forward the REMOTE_USER CGI env variable, e.g. by using
the "E" flag at the end of rewrite rule:
[P,L,E=REMOTE_USER:%{REMOTE_USER}]
- Have a custom ICredentialsPlugin that's simply looks at this env
variable in the request for the log-in credentials. To challenge the
user for authentication, it would simply use the same authentication
realm as set in the apache.conf, so that it gets picked up by Apache
when the user provides the credentials.
- Have a custom IAuthenticatorPlugin that uses the credential data of
the former plug-in to create a principal object from it. It wouldn't
really need to do any actual authentication because that had already
been done by Apache. The only thing this plug-in needs to do is convert
the credentials data into an actual principal object.
Hope that helps.
Philipp
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users
[Zope3-Users] Re: apache
just as a followup, Benji helped me fix the rewrite issue I was having before. If anyone else comes across the same issue, a workaround is to do the following: ServerAdmin [EMAIL PROTECTED] ErrorLog logs/fcwkstn.thig.com-error_log CustomLog logs/fcwkstn.thig.com-access_log common RewriteEngine On RewriteRule ^//(.*css|.*png|.*js) \ http://:8080/++vh++http::80/++/$1 \ [P,L] RewriteRule ^/(/?.*) \ http://:8080//++vh++http:localhost:80//++$1 \ [P,L] this should first redirect all browser:resource stuff (well, the css, png, and js since that's all i've got... you can add others) to a resource path that zope can traverse correctly. then it will redirect all site content as you'd expect, based on the second match rule. I haven't tried it with the rewrite rules in the other order, but I'd imagine apache matches rules in the order they're given, and i'm too lazy to troubleshoot things that i can forestall from happening in the first place ;) Thanks to everyone on zope3-dev for always listening to my questions, and offering solutions. Thanks esp to Benji on this one for the suggestion. Pete ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
