A couple of questions have had answers suggesting making use of mod_auth_tkt to allow Plone 4 (Plone and Asp.Net Integration, Use Plone's authentication mechanism to login to other sites.) to authenticate other web applications, and since I have a couple of CGIs that already jump through hoops to authenticate via Plone, this seems ideal for my purpose. However, I can't seem to find much documentation about using mod_auth_tkt in general, and absolutely none about using it with Plone.
I have the following problems.
mod_auth_tkt expects a shared "secret". mod_auth_tkt's examples show Apache getting this from a config file. Plone doesn't share its secrets - so how does Apache know that a given Plone cookie is a valid auth_tkt?
what url would one use in the Apache config TKTAuthLoginURL? [I'm not sure that's vital, as, at the moment, I'm only really interested in ensuring that something is invoked from inside plone, rather than directly as a cgi]
Apache expects the ticket cookie to be named via TKTAuthCookieName (default 'auth_tkt'). What does Plone call it? __ac?
The documentation on using mod_auth_tkt is a man page distributed with the source.
In answer to your specific questions:
In /Plone/acl_users/session. On the Manage secrets tab set a shared secret. (This is described in the documentation for setting up a shared secret with an IIS login form.) You should set the same secret in the Apache config with the TKTAuthSecret directive.
For Plone 4.0 (or Plone 3.x with plone.session 3.x) use /Plone/login_form. For Plone 4.1 use /Plone/login, assuming that the Plone site is hosted at /Plone. Use /login_form or /login if it is hosted at the root.
Plone uses _ac by default, so use TKTAuthCookieName "_ac". (The cookie name Plone uses is set in the acl_users session settings and cookie authentication settings.)
You might have to set TKTAuthBackArgName "came_from", though I think Plone will fallback to the referrer url so it may work without. And you will need to check the "Use mod_auth_tkt compatible hashing algorithm" option on the preferences tab of acl_users/session.
It turns out that there seems to be a conflict with pas.plugins.sqlalchemy. I've been investigating PPS, and while it doesn't seem that there should be any crossover, the site I was testing had PPS installed. When I switched to a site without PPS, setting the "secret" and the mod_auth_tkt flag had the desired effect. Since I seem to have fallen into the maintenance role for pas.plugins.sqlalchemy, I guess it's my problem :-)
Domo arigato, Mr. Rowe-boto!
Related
Can someone help me in resolving Qualy's issue?
After Qualys scan, there is an issue that says to add the HTTP Only flag. I have set the HTTP Only flag in web.config of Asp.Net Application but it doesn't resolve. We are using Azure Active Directory (single Sign-On) authentication.
Don't know where I can set the flag to true. Moreover, in some blogs, they mentioned modifying NuGet packages.
I have attached the screenshot. please refer to it. Thanks in advance.
Flags are: wlidperf, ESTSAUTHLIGHT, brcap, ch, clrc
You can change the settings related to HTTPS Only option under the following root inside your Azure Dashboard:
Settings - Custom Domains - HTTPS Only
However, you have to checkup with your security options and configurations, because this can engender security related problems later down the road.
my application will have a subdomain per customer to show their logo and some other stuff:
company1.service.com
company2.service.com
I'm trying to see what's the best way to work during development:
configure the development machine HOST file to do some mapping, so I can access company1.localhost etc.
Use some kind of secret config flag which the app will check to determine what is the overriden domain
Do not use subdomains at all (even on production) and prefer query string
I think #1 should be ok for me just trying to see if anyone has bad experience with it or good with the other options.
I would use the first option because it is simple to setup and will reflect your target architecture. The third option is also simple to setup but it will differ from your actual scenario so you might need to make last minute changes before shipping which is never a good thing.
I'm using collective.sendaspdf for pdf download of plone pages, but it asks users to login whene they download a public content.
This appears strange as it happens just in the production server, not in the development server (the only difference seems that the latter is started in foreground mode).
Of course I can't assign particular permissions on objects to anonymous users, so I guess the problem is somewhere else
thanks to Jean's suggestion, i enabled the verbose security and the error is "Unauthorized: You are not allowed to access '##at_base_edit_view' in this context"
This looks strange to me as the page is the view of my content-type archetype-based, and it is published so it is visible to anonymous users. I repeat also that I have the development server with the same software installed where the authorization is correctly given, i.e. the page can be downloaded by anyone without login...what changes is the network configuration (I have an apache that performs some url rewriting in front of my zope server, but this just affects the path of the plone site to be hidden)
I wonder if I can manage to correct this just through the sendaspdf configuration. I don't know which additional info I could provide about the environment/configuration. I'm running Plone 4.0.4 + collective.sendaspdf 2.0
Ok, the problem was due to a bug in how collective.sendaspdf handles archetype-based content types, it's possible to workaround it by replacing the code:
view_name = context_type.getProperty('immediate_view')
with
view_name = context_type.getProperty('default_view')
in the method get_page_source of base.py, or by waiting the next release of the product.
Working on a URL shortener in asp.net running on IIS6. Trying to avoid installing URL rewriting software so looking for pure ASP solution.
Is there a way to process links in this format:
shorten.me/AugustSale
We are already able to process
shorten.me/page.aspx?AugustSale
shorten.me/?AugustSale
but these are not very human-friendly.
Any ideas?
If the solution requires installing a URL-rewriter, could you recommend one which could be installed for one site only and not for the rest of the sites on the server?
Edit: We are running a complex, resource-heavy CMS on another virtual site and have been warned against installing a URL-rewriter.
We use Ionics Isapi Rewrite Filter for our IIS6 boxes and haven't had any issues with it. It also has a mapping feature that might prove useful to your situation.
Oh... and it's FREE. WooHoo! (well, donation based anyway, so help support them if you can).
Rewrite based upon a map file:
http://cheeso.members.winisp.net/Iirf21Help/html/77dd5ab8-9638-45e9-a920-6182fca3f767.htm
Edit - configurable at the vdir level
IIRF.ini: the ini files specific for each virtual directory or IIS
application. There should be one of these files for each specific
vdir, or IIS Application. The settings specified here include settings
for the URLs that should be rewritten, redirected, or proxied; whether
the IIRF engine should be enabled for that vdir or application; and so
on. For each installation of IIRF, you will provide at least one, and
possibly many more, IIRF.ini files.
I am just curious to know if there is a specific reason why the .Net Framework adds the 'X-Powered-By:ASP.NET' Http Header in its responses? Do other web servers (Apache, httpd) do the same thing?
EDIT: I know that it can be changed. I want to know if there is a reason to keep it or leave it as it is?
I know that PHP does this. I guess there is no real purpose, other than marketing and making it easier for script kiddies to find suitable victims. For PHP it's better to disable the flag entirely since it shows the PHP version and therefore makes the server more vulnerable to attacks.
Edit: Who knows, it might also lead to better search results on bing... ;-)
It is a default custom header when using IIS. It is a setting in IIS, you can change it if you wish.
Using IIS6 -
Click on the HTTP Headers tab
You can edit or remove the header in the Custom HTTP Headers box.
It is probably there so that sites like Netcraft can pull together statistics for the number of servers running IIS and ASP.NET. This used to be considered an important thing when .NET was released. By stating that n number of sites started using ASP.NET Microsoft could provide metrics for companies that only adopt technology based on the number of other users out there.
I don't believe there is a strong technical reason for having it since a PHP app could imitate an ASP.NET application, by setting the same header in Apache. I could imagine some naive client applications like FrontPage 2003, or SharePoint Designer might use headers like this to validate that they are indeed connecting to an ASP.NET enabled site but that is speculation on my part.
It is fairly common to see a signature for the server/executing engine sent with the headers of a page whether you're running Apache and PHP or IIS and ASP.NET. Just acts as some free publicity, I suppose.
"X-Powered-By:" isn't a standard header, but "Server: " is (and it clearly serves the same purpose).
In a world of SaaS and Cloud services, Web frameworks are 'strategic' assets, and every little piece of real-estate is advidly conquered... sometimes the cheating way.
Tomcat, Apache, WebSphere, JBoss, you name it..
Appearantly, it's not actually a standard HTTP header field.
If "Why" used in context of "how to change it" - go to IIS properties of your site ant open tab "HTTP Headers" and correct Custom HTTP Header.