Mailing List Archive: Zope: Users

sending a encrypted login URL

Index | Next | Previous | View Threaded

jthomas at cap

Mar 4, 2009, 8:29 AM

Post #1 of 7 (1749 views)
Permalink

sending a encrypted login URL

We'd like to construct a zope login URL of the form on another server:

http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_passwor
d=xxxxxxx&submit=Log+in

where the ac_name and ac_password parameters are encrypted using zope
public key (?) and have the parameters decrypted when zope receives the
request and login the user.

Is there an API or some way to encrypt the username and password on the
3rd party app server and configure zope so that it treats the parameters
as encrypted values rather than plaintext?

Joseph Thomas

College of American Pathologists

http://www.cap.org <http://www.cap.org/>

Consider our environment; please print this e-mail only if truly
necessary. Thank you!

lists at zopyx

Mar 4, 2009, 8:38 AM

Post #2 of 7 (1630 views)
Permalink

Re: sending a encrypted login URL [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Use SSL and you're done.

- -aj

On 04.03.2009 17:29 Uhr, Joseph Thomas (s) wrote:
> We’d like to construct a zope login URL of the form on another server:
>
>
>
> http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_password=xxxxxxx&submit=Log+in
> <http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_password=xxxxxxx&submit=Log+in>
>
>
>
>
>
> where the ac_name and ac_password parameters are encrypted using zope
> public key (?) and have the parameters decrypted when zope receives the
> request and login the user.
>
>
>
> Is there an API or some way to encrypt the username and password on the
> 3^rd party app server and configure zope so that it treats the
> parameters as encrypted values rather than plaintext?
>
>
>
> Joseph Thomas
>
> College of American Pathologists
>
> http://www.cap.org <http://www.cap.org/>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Zope maillist - Zope [at] zope
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )

- --
ZOPYX Ltd. & Co. KG - Charlottenstr. 37/1 - 72070 Tübingen - Germany
Web: www.zopyx.com - Email: info [at] zopyx - Phone +49 - 7071 - 793376
Registergericht: Amtsgericht Stuttgart, Handelsregister A 381535
Geschäftsführer/Gesellschafter: ZOPYX Limited, Birmingham, UK
- ------------------------------------------------------------------------
E-Publishing, Python, Zope & Plone development, Consulting

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkmurnAACgkQCJIWIbr9KYylKQCgn3WWP5SzGrrAQbJIQXv7Bfac
3fwAoIiI4iwtVBFVRg7jtZu5Vgy5fw3f
=MHol
-----END PGP SIGNATURE-----

Attachments:

lists.vcf (0.32 KB)

tino at wildenhain

Mar 4, 2009, 8:46 AM

Post #3 of 7 (1624 views)
Permalink

Re: sending a encrypted login URL [In reply to]

Andreas Jung wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Use SSL and you're done.

SSL solves SSO? I don't think so.

Cheers
Tino

> - -aj
>
> On 04.03.2009 17:29 Uhr, Joseph Thomas (s) wrote:
>> We’d like to construct a zope login URL of the form on another server:
>>
>>
>>
>> http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_password=xxxxxxx&submit=Log+in
>> <http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_password=xxxxxxx&submit=Log+in>
>>
>>
>>
>>
>>
>> where the ac_name and ac_password parameters are encrypted using zope
>> public key (?) and have the parameters decrypted when zope receives the
>> request and login the user.
>>
>>
>>
>> Is there an API or some way to encrypt the username and password on the
>> 3^rd party app server and configure zope so that it treats the
>> parameters as encrypted values rather than plaintext?
>>
>>
>>
>> Joseph Thomas
>>
>> College of American Pathologists
>>
>> http://www.cap.org <http://www.cap.org/>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Zope maillist - Zope [at] zope
>> http://mail.zope.org/mailman/listinfo/zope
>> ** No cross posts or HTML encoding! **
>> (Related lists -
>> http://mail.zope.org/mailman/listinfo/zope-announce
>> http://mail.zope.org/mailman/listinfo/zope-dev )
>
>
> - --
> ZOPYX Ltd. & Co. KG - Charlottenstr. 37/1 - 72070 Tübingen - Germany
> Web: www.zopyx.com - Email: info [at] zopyx - Phone +49 - 7071 - 793376
> Registergericht: Amtsgericht Stuttgart, Handelsregister A 381535
> Geschäftsführer/Gesellschafter: ZOPYX Limited, Birmingham, UK
> - ------------------------------------------------------------------------
> E-Publishing, Python, Zope & Plone development, Consulting
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkmurnAACgkQCJIWIbr9KYylKQCgn3WWP5SzGrrAQbJIQXv7Bfac
> 3fwAoIiI4iwtVBFVRg7jtZu5Vgy5fw3f
> =MHol
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Zope maillist - Zope [at] zope
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )

Attachments:

smime.p7s (3.17 KB)

dieter at handshake

Mar 5, 2009, 11:54 AM

Post #4 of 7 (1623 views)
Permalink

Re: sending a encrypted login URL [In reply to]

Joseph Thomas (s) wrote at 2009-3-4 10:29 -0600:
>We'd like to construct a zope login URL of the form on another server:
>http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_passwor
>d=xxxxxxx&submit=Log+in
>where the ac_name and ac_password parameters are encrypted using zope
>public key (?) and have the parameters decrypted when zope receives the
>request and login the user.
>Is there an API or some way to encrypt the username and password on the
>3rd party app server and configure zope so that it treats the parameters
>as encrypted values rather than plaintext?

We are doing this using the Python package "M2Crypto.EVP"
for the encryption/decryption.

--
Dieter
_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

jthomas at cap

Mar 5, 2009, 12:01 PM

Post #5 of 7 (1629 views)
Permalink

Re: sending a encrypted login URL [In reply to]

Thanks, could you elaborate a bit, I'm somewhat new zope/plone:

I assume we'd need a shared key on both on ore j2ee server and zope, and
did you need to create any changes to Plone PAS?

-----Original Message-----
From: Dieter Maurer [mailto:dieter [at] handshake]
Sent: Thursday, March 05, 2009 1:55 PM
To: Joseph Thomas (s)
Cc: zope [at] zope
Subject: Re: [Zope] sending a encrypted login URL

Joseph Thomas (s) wrote at 2009-3-4 10:29 -0600:
>We'd like to construct a zope login URL of the form on another server:
>http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_passwo
r
>d=xxxxxxx&submit=Log+in
>where the ac_name and ac_password parameters are encrypted using zope
>public key (?) and have the parameters decrypted when zope receives the
>request and login the user.
>Is there an API or some way to encrypt the username and password on the
>3rd party app server and configure zope so that it treats the
parameters
>as encrypted values rather than plaintext?

We are doing this using the Python package "M2Crypto.EVP"
for the encryption/decryption.

--
Dieter
Consider our environment; please print this e-mail only if truly
necessary. Thank you!
_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

lists at zopyx

Mar 5, 2009, 12:06 PM

Post #6 of 7 (1627 views)
Permalink

Re: sending a encrypted login URL [In reply to]

On Thu, Mar 5, 2009 at 21:01, Joseph Thomas (s) <jthomas [at] cap> wrote:
> Thanks, could you elaborate a bit, I'm somewhat new zope/plone:
>
> I assume we'd need a shared key on both on ore j2ee server and zope, and
> did you need to create any changes to Plone PAS?
>

Tres explained it to you. You have to write a PAS plugin. There are a bunch
of PAS plugins available that can serve as example.

-aj
_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

dieter at handshake

Mar 5, 2009, 12:34 PM

Post #7 of 7 (1624 views)
Permalink

Re: sending a encrypted login URL [In reply to]

Joseph Thomas (s) wrote at 2009-3-5 14:01 -0600:
>Thanks, could you elaborate a bit, I'm somewhat new zope/plone:
>
>I assume we'd need a shared key on both on ore j2ee server and zope

"EVP" (documented in the *nix man pages) supports both symmetical
as well as unsymmetrical encryption.
When you use symmetrical encryption (we do),
you need (of course) a shared secret.

> and
>did you need to create any changes to Plone PAS?

We are not using Plone (GPL) but I think that no changes to Plone PAS
would be necessary (exception in a moment).

Instead of redirecting to "logged_in", you can use a preprocessor
(e.g. "remotelogin") which decrypts the information and then calls "logged_in".

The problem which might force you the change something:
The standard Plone user folders to not provide access to
a cleartext password (for obvious security reasons).
That means when you want to perform a remotelogin to your partner
system, it is not easy to obtain the password for such a remote
login. Your partner system may have the same problem when it
performs a remote login to Plone.

You can use an SSO solution, e.g. CAS.
When I have understood correctly, there are PAS plugins supporting CAS.

You can also change the PAS plugin that stores the user identification
such that is also stores the password (e.g. in the session)
such that you can retrieve it for a remote login.

--
Dieter
_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads