[Silva-general] https

Andy Altepeter aaltepet at altepeter.net
Wed Nov 11 14:38:38 CET 2009


Hi David,
>
> Been working on this on and off for a bit.  Had some partial success.
> I used a __before_publishing_traverse__ function based on SilvaObject
> to test for the required permissions then redirect to https.  This
> causes a double login, first via http then https.  I think I can abort
> the first transaction though.  Is this how you saw this working?

I hadn't fully thought through how this would work.  What do you mean by 'abort the first transaction'?  You surely don't want to force auth twice, so if you can redirect to https without forcing auth that'll be key.

The 'auth required' for http may happen during traversal higher up in the hierarchy.  For example, the request is for /silva/site/protected/doc1/edit
protected happens to be restricted to 'authenticated users only', but everything above it is not.

When the traversal get's to 'protected', zope may request authentication from the client.  In this case, your __before_publishing_traverse__ hook is never called.

If this is the case, you may want to inspect the request URL to see if it matches an 'SMI' pattern, and if it does then _always_ redirect to https.  You only need to capture the entry point urls into the SMI, and not every asset.  So something like this may be a good start:

URLs like: '/edit(/.*)?|preview_html$'
>
> Another issue is the external sources.  They don't work as
> get_extsource_url calls for the absolute_url of the code source which
> is returned with a http address.  The get_rendered_form_for_editor
> request is then an http request and doesn't work in an https page.  Is
> there an easy way round this?

Requests are going through apache, right?  It sounds like your rewriterule for the https vhost is telling zope it's actually an http vhost.  Make sure you have something like this:

RewriteRule /(.*) http://<backend zope:port>/VirtualHostBase/https/www.bethel.edu:443/silva/www/VirtualHostRoot/$1

Note the 'https' after VirtualHostBase, and the :443.

HTH,
Andy


>
> david
>
> On 24 Sep 2009, at 03:30, Andy Altepeter wrote:
> > Hi David,
> >
> > It's been awhile, so let me try and summarize:
> >
> > 1) You are using a zmi-based layout, and want to redirect to https
> > when an
> > area of Silva requires authentication.
> > 2) you want to redirect to http BEFORE authentication
> >
> > I don't think that, using the approach I suggested, it is possible
> > to do this
> > before authentication.  The reason is that checking this in the
> > layout_macro
> > (or such) will always happen AFTER access to the resource is
> > authenticated/authorized.
> >
> > So, if this is an important requirement and you cannot switch to
> > SilvaLayout,
> > you may want to consider adding a __before_publishing_traverse__
> > method to
> > SilvaObject.  In this method you can check access as I suggested, and
> > redirect to http if needed.  See:
> > http://www.zope.org/Documentation/Books/ZDG/current/ObjectPublishing.stx
> >
> > peace,
> > Andy
> >
> > On Wednesday 19 August 2009 09:15:57 am ccaadgi wrote:
> >>>> Hey David,
> >>>>
> >>>>> Now that I read your use case, you could adapt Bethel's public
> >>>>> layout
> >>>>> approach
> >>>>> by, instead of checking a metadata property, you could check
> >>>>> whether
> >>>>> the context is available to public unauthenticated users (and if
> >>>>> not
> >>>>> redirect to
> >>>>> https).
> >>>>>
> >>>>> Note that this approach would work using a ZMI layout as well, you
> >>>>> would just
> >>>>> to the check at the top of the index_html if your Silva root.
> >>>>>
> >>>>> Andy
> >>>>
> >>>> Thanks for that Andy, but how do I go about checking whether the
> >>>> context is available to public unauthenticated users?
> >>>
> >>> The way this setting is presented on the access tab is similar to
> >>> the
> >>> following:
> >>>
> >>> (this is TAL):
> >>> info model/@@get_viewer_role_info;
> >>> public info/is_public;
> >>>
> >>> Calling @@get_viewer_role_info is probably a bit heavy.  This z3
> >>> view is
> >>> located here: Products/Silva/browser/viewerrole.py (the ViewerRole
> >>> class).
> >>> Looking in it, I see that "is_public" is defined by the following
> >>> code:
> >>>
> >>>       viewer_security = IViewerSecurity(self.context.aq_inner)
> >>>       selected_role = viewer_security.getMinimumRole()
> >>>       is_public = selected_role == 'Anonymous'
> >>>
> >>>
> >>> So in your layout you might want to try (this is Silva 2.1):
> >>> from Products.Silva.adapters.interfaces import IViewerSecurity
> >>> viewer_security = IViewerSecurity(self.context.aq_inner)
> >>> selected_role = viewer_security.getMinimumRole()
> >>> is_public = selected_role == 'Anonymous'
> >>>
> >>> Keep in mind that depending on where this is used,
> >>> "self.context.aq_inner" may
> >>> be something different.  It also doesn't appear that this
> >>> interface is
> >>> importable within RestrictedPython.  So if you are using a ZMI-based
> >>> layout,
> >>> get_viewer_role_info may be your best approach.  Note that you could
> >>> probably
> >>> not call this if you are already on https, so that may save a few
> >>> compute
> >>> cycles.
> >>>
> >>> peace,
> >>> Andy
> >>
> >> Hi Andy,
> >>
> >> I've tried to do what you suggested above but I think I must be
> >> missing
> >> something.  In my layout page template I call a function from the
> >> associated class which returns true or false based on whether the
> >> page
> >> is anonymous or not.  That part works ok.  The problem is that the
> >> redirection is happening after the logging in but I would like it to
> >> happen before.
> >>
> >> david
> >>
> >>>> David
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> silva-general mailing list
> >>>> silva-general at lists.infrae.com <mailto:silva-general at lists.infrae.com
> >>>>
> >>>> https://lists.infrae.com/mailman/listinfo/silva-general
>
> _______________________________________________
> silva-general mailing list
> silva-general at lists.infrae.com
> https://lists.infrae.com/mailman/listinfo/silva-general


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.infrae.com/pipermail/silva-general/attachments/20091111/8049572c/attachment.htm 


More information about the silva-general mailing list