Require SSL encryption for all portal actions that require authentication

classic Classic list List threaded Threaded
5 messages Options
Gert Thiel Gert Thiel
Reply | Threaded
Open this post in threaded view
|

Require SSL encryption for all portal actions that require authentication

Hello.

I want to setup my Plone install to be both fast and safe.

I've read the many how-tos and tutorials explaining how to combine Plone
with Apache HTTPd for performance by caching and/or security using SSL.

I have a dedicated server on the internet running Plone 2.1.1 -- two
instances accessing one ZEO instance. And a third Plone instance for
development purposes, which is up only when neccesary. All instances run on
private ports.

I have also an Apache 2 install with two virtual hosts -- one for HTTP
access and a second one for HTTPS aka SSL.

I did not enable caching yet.

I want to apply a tight security scheme to Plone like so:

(1) All anonymous or unauthenticated user must use the HTTP virtual host.
(2) The login procedure must be HTTPS aka SSL protected.
(3) All actions which require users to be authenticated with or authorized
    by Plone shall be forced to use the HTTPS aka SSL virtual host.

I have no problems with implementing the requirements (1) and (2).

I can implement requirement (3) partially only. After reading the available
documentation I have set up Apache 2 to redirect log-in to the HTTPS aka SSL
virtual host. After logging in the authenticated user is presented with the
HTTPS aka SSL site. But the user can enter a unsecure http:// address
manually and administer Plone or edit Plone content without SSL protection
applied.

I want Plone to redirect any HTTP request to the HTTP aka SSL virtual host
whenever a user tries to administer or edit something. This should be forced
from inside Plone and happen even if the Apache rewrite rules are
insufficient or error prone.

If such mechanism would be implemented we would not need mod_rewrite any
longer.

Do you have any ideas how to do so?

Thanks in advance.

Regards,

  Gert.




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
Geir Bækholt · Plone Solutions-2 Geir Bækholt · Plone Solutions-2
Reply | Threaded
Open this post in threaded view
|

Re: Require SSL encryption for all portal actions that require authentication

On 2005-11-20 17:19:35 +0100, Gert Thiel
<[hidden email]> said:

> I can implement requirement (3) partially only. After reading the available
> documentation I have set up Apache 2 to redirect log-in to the HTTPS aka SSL
> virtual host. After logging in the authenticated user is presented with the
> HTTPS aka SSL site. But the user can enter a unsecure http:// address
> manually and administer Plone or edit Plone content without SSL protection
> applied.
>
> I want Plone to redirect any HTTP request to the HTTP aka SSL virtual host
> whenever a user tries to administer or edit something. This should be forced
> from inside Plone and happen even if the Apache rewrite rules are
> insufficient or error prone.
>
> If such mechanism would be implemented we would not need mod_rewrite any
> longer.
>
> Do you have any ideas how to do so?

The Cookie specification ( and its browser implementations too) allows
you to pass a parameter secure=1 (or something fairly similar) when you
set a cookie on the client. This means the cookie will only be sent to
the host over the current https connection and never over regular http.

I have no idea if there is support for this directive in CookieCrumbler
( which handles the cookies for authentication ) or not. If not, you
could try adding it yourself.

:)

--
___________________________________________________________________

Geir Bækholt   ·   Plone Solutions  ·  http://plonesolutions.com
__________________________________________________________________

Plone Foundation · http://plone.org/foundation · Protecting Plone 




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
Gert Thiel Gert Thiel
Reply | Threaded
Open this post in threaded view
|

Re: Re: Require SSL encryption for all portal actions that require authentication

Geir,

>> I can implement requirement (3) partially only. After reading the available
>> documentation I have set up Apache 2 to redirect log-in to the HTTPS aka SSL
>> virtual host. After logging in the authenticated user is presented with the
>> HTTPS aka SSL site. But the user can enter a unsecure http:// address
>> manually and administer Plone or edit Plone content without SSL protection
>> applied.
>>
>> I want Plone to redirect any HTTP request to the HTTP aka SSL virtual host
>> whenever a user tries to administer or edit something. This should be forced
>> from inside Plone and happen even if the Apache rewrite rules are
>> insufficient or error prone.
>>
>> If such mechanism would be implemented we would not need mod_rewrite any
>> longer.
>>
>> Do you have any ideas how to do so?
>
> The Cookie specification ( and its browser implementations too) allows
> you to pass a parameter secure=1 (or something fairly similar) when you
> set a cookie on the client. This means the cookie will only be sent to
> the host over the current https connection and never over regular http.
>
> I have no idea if there is support for this directive in CookieCrumbler
> ( which handles the cookies for authentication ) or not. If not, you
> could try adding it yourself.

I had a look at the sources of CookieCrumber.py and what do I find? Your
idea is integrated in CookieCrumber. See defaultSetAuthCookie at line 125+.

Now, why does that not work? Am I dumb?

Regards,

  Gert.




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
Gert Thiel Gert Thiel
Reply | Threaded
Open this post in threaded view
|

Re: Re: Require SSL encryption for all portal actions that require authentication

Geir,

>>> I can implement requirement (3) partially only. After reading the available
>>> documentation I have set up Apache 2 to redirect log-in to the HTTPS aka SSL
>>> virtual host. After logging in the authenticated user is presented with the
>>> HTTPS aka SSL site. But the user can enter a unsecure http:// address
>>> manually and administer Plone or edit Plone content without SSL protection
>>> applied.
>>>
>>> I want Plone to redirect any HTTP request to the HTTP aka SSL virtual host
>>> whenever a user tries to administer or edit something. This should be forced
>>> from inside Plone and happen even if the Apache rewrite rules are
>>> insufficient or error prone.
>>>
>>> If such mechanism would be implemented we would not need mod_rewrite any
>>> longer.
>>>
>>> Do you have any ideas how to do so?
>>
>> The Cookie specification ( and its browser implementations too) allows
>> you to pass a parameter secure=1 (or something fairly similar) when you
>> set a cookie on the client. This means the cookie will only be sent to
>> the host over the current https connection and never over regular http.
>>
>> I have no idea if there is support for this directive in CookieCrumbler
>> ( which handles the cookies for authentication ) or not. If not, you
>> could try adding it yourself.
>
> I had a look at the sources of CookieCrumber.py and what do I find? Your
> idea is integrated in CookieCrumber. See defaultSetAuthCookie at line 125+.
>
> Now, why does that not work? Am I dumb?

At my install of Plone, the __ac Cookie is not restricted secure-only. Why?

BTW: My site is http://www.gertthiel.de/

Regards,

  Gert.




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
Erik Forsberg-6 Erik Forsberg-6
Reply | Threaded
Open this post in threaded view
|

Re: Require SSL encryption for all portal actions that require authentication

Gert Thiel <[hidden email]> writes:

> At my install of Plone, the __ac Cookie is not restricted
> secure-only. Why?

Good question. Btw, I was going to ask if there were a product that
made it possible to avoid sending the username and password in easily
decoded form at each request (i.e., the __ac Cookie). SessionCrumbler
seems to solve this problem.

http://longsleep.org/projects/sessioncrumbler

\EF
--
Erik Forsberg                 http://efod.se
GPG/PGP Key: 1024D/0BAC89D9



-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users