jthomas at cap
Mar 4, 2009, 8:53 AM
Post #1 of 3
(1111 views)
Permalink
|
|
FW: sending a encrypted login URL
|
|
-----Original Message-----
From: Joseph Thomas (s)
Sent: Wednesday, March 04, 2009 10:50 AM
To: 'lists [at] zopyx'
Subject: RE: [Zope] sending a encrypted login URL
I think I get what you're suggesting, but let me clarify.
I actually wanted the sensitive portions of URL to be encrypted..because it will be link on a page that says "login to zope"..but I wouldn't want the user or a snooper to be able to view the page source and figure out the URL pattern and the username/password.
SSL will ensure that the transport between the browser and the zope server will be encrypted using PKI, but I really want to obfuscate the user name and password parameters in the login URL. So that that if some1 where to view the source they'd see garbled username/password parameters.
I suppose I could use the PKI to encrypt the username/password with my zope server's public key (but is there a API to do this on a J2EE container) and then have my zope server decrypt using its private key (but how would zope know that the username/password parameters are 2 be treated as encrypted data)?
-----Original Message-----
From: Andreas Jung [mailto:lists [at] zopyx]
Sent: Wednesday, March 04, 2009 10:38 AM
To: Joseph Thomas (s)
Cc: zope [at] zope
Subject: Re: [Zope] sending a encrypted login URL
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Use SSL and you're done.
- -aj
On 04.03.2009 17:29 Uhr, Joseph Thomas (s) wrote:
> We'd like to construct a zope login URL of the form on another server:
>
>
>
> http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_password=xxxxxxx&submit=Log+in
> <http://zope.domain:port/context/logged_in?__ac_name=uzzzzzz&__ac_password=xxxxxxx&submit=Log+in>
>
>
>
>
>
> where the ac_name and ac_password parameters are encrypted using zope
> public key (?) and have the parameters decrypted when zope receives the
> request and login the user.
>
>
>
> Is there an API or some way to encrypt the username and password on the
> 3^rd party app server and configure zope so that it treats the
> parameters as encrypted values rather than plaintext?
>
>
>
> Joseph Thomas
>
> College of American Pathologists
>
> http://www.cap.org <http://www.cap.org/>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Zope maillist - Zope [at] zope
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
- --
ZOPYX Ltd. & Co. KG - Charlottenstr. 37/1 - 72070 Tübingen - Germany
Web: www.zopyx.com - Email: info [at] zopyx - Phone +49 - 7071 - 793376
Registergericht: Amtsgericht Stuttgart, Handelsregister A 381535
Geschäftsführer/Gesellschafter: ZOPYX Limited, Birmingham, UK
- ------------------------------------------------------------------------
E-Publishing, Python, Zope & Plone development, Consulting
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkmurnAACgkQCJIWIbr9KYylKQCgn3WWP5SzGrrAQbJIQXv7Bfac
3fwAoIiI4iwtVBFVRg7jtZu5Vgy5fw3f
=MHol
-----END PGP SIGNATURE-----
Consider our environment; please print this e-mail only if truly
necessary. Thank you!
_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
|
