Pluggable Authentication Service
Zope 使用 hashlib.sha(password+salt).hexdigest() 來做加密,像 PostgreSQL 使用 MD5 或 memember 範例 Products.remember/content/password_hashers.py
Products.PlonePAS 改版解決 use_uuid_as_userid 啟用時造成 @@change_password 失敗的問題。
oAuth intro scope manager oauth Products.OneTimeTokenPAS
http://plone.org/documentation/manual/developer-manual/users-and-security/pluggable-authentication-service
http://plone.org/documentation/kb/simple-plonepas-example/tutorial-all-pages
collective.customlogin
Plone 3 __ac cookie and security by Nathm Van Gheem
deployment: 1. add pas.plugins.sqlalchemy to the eggs and zcml section in buildout.cfg 2. do not add collective.saconnect that seems no help 3. add definition to the instance section in buildout.cfg
zcml-additional = <configure xmlns="http://namespaces.zope.org/zope" xmlns:db="http://namespaces.zope.org/db"> <include package="z3c.saconfig" file="meta.zcml" /> <db:engine xmlns="http://namespaces.zope.org/db" name="pas" url="mysql://user:password@host/database" /> <db:session xmlns="http://namespaces.zope.org/db" name="pas.plugins.sqlalchemy" engine="pas" /> </configure>
4. from the Plone control panel, add the PAS SQL Plugin product: this step should both connect to the database and create the database schema with empty tables 5. to activate the plugin, access the ZMI and navigate to the acl_users folder and the plugins sub-folder. Review each plugin-type and if an sql option is available, change its precedence to suit your purposes.
Provided you have set the precedence of sql in the User Adder plugins, you can add new users and they will be stored in your SQL database. Notice that the settings in zcml-additional apply throughout an instance. If you have several Plone instances within a single Zope instance, then each Plone instance with the PAS SQL Plugin activated will share the same user SQL database
Multiple Sites: Suppose you require a number of related sites all of which relate broadly to the same group of users:
- Paid-up members or Active members: assigned as Members and possibly Contributors
- Lapsed members: having a login but no role assignment
- Various organisational sub-sets of members: assigned the various management roles of Editor, Reviewer, Manager, etc
- Anonymous visitors: obviously have no login
In your sites, you want to allow members to be able to logon and authenticate themselves. Then depending on the site and the specific user, various roles can be assigned to allow access to different types of content. When deploying this plugin, user information is stored in the database but user and group permissions remains in Plone. Using this behaviour we can use group definitions to control who can do what in specific sites; all with a minimum of tweaking the Plone instances. First the minimal changes:
- set sql to the top of all its relevant plugin types except for Group Management - we want Plone instances to drive this part of user management
- set Intranet/Extranet Workflow as the default for each site
- for the internally_published state, under the Permissions tab, switch on Authenticated permission for both view and access options (this is optional and depends what you want Lapsed Members to see)
- activate the changes for the workflow
- in each site, add a membership Group with a roles you want all Active members to have
- for each site, add additional groups for any special subsets you may want setting roles as required
- add members in one site assigning each to appropriate groups for that site in additional sites, add members to any groups peculiar to these individual sites
Having done all this, you should now get the following behaviour
- Anonymous users: can only see Externally Published content
- Lapsed Members: can also see Internally Published material if they are logged in
- Active Members: can see all content except items marked as private and whatever additional roles you have assigned
- Special Members: certain members will have greater access depending on the roles they have been assigned in each site
These behaviours are easily managed simply by adding users to one or more groups. Further, a new user only needs added in one site and usually Group membership can be assigned at that time (except for Groups which are specific to individual sites). Active Membership can also be controlled by an external application updating the SQL database independent of any Plone instance i.e. for lapsed members, remove their appropriate Group membership via the database. This procedure will affect all related sites immediately without having to do anything else.
新增 Group Deletion 通知的 Event 從群組 Group 移除 User 耗時過久的問題
collective.workspace 應用範例 Team Guest Role
authentication-from-multi-source in Plone4
pas.plugins.sqlalchemy 帳號數量過大時的挑戰 manage-only-users-without-roles-and-groups
關閉 acl_users PAS auth plugin 達到使用者暫時無法登入的效果
plone42 make PAS cache external user data
external-authentication in plone4 radius-local-script
custom facebook integration with separate PAS plugin
plone/app/users/browser/configure.zcml
<browser:page name="new-user" for="plone.app.layout.navigation.interfaces.INavigationRoot" class=".register.AddUserForm" permission="plone.app.controlpanel.UsersAndGroups" />
plone/app/users/browser/register.py
class BaseRegistrationForm(PageForm)
# passwords should match if 'password' in form_field_names: assert('password_ctl' in form_field_names) # Skip this check if password fields already have an error if not ('password' in error_keys or \ 'password_ctl' in error_keys): password = self.widgets['password'].getInputValue() password_ctl = self.widgets['password_ctl'].getInputValue() if password != password_ctl: err_str = _(u'Passwords do not match.') errors.append(WidgetInputError('password', u'label_password', err_str)) errors.append(WidgetInputError('password_ctl', u'label_password', err_str)) self.widgets['password'].error = err_str self.widgets['password_ctl'].error = err_str
Products/PlonePAS/pas.py
def _doAddUser(self, login, password, roles, domains, groups=None, **kw ): """Masking of PAS._doAddUser to add groups param.""" retval = _old_doAddUser(self, login, password, roles, domains) if groups is not None: self.userSetGroups(login, groups) return retval
def credentialsChanged(self, user, name, new_password): """Notifies the authentication mechanism that this user has changed passwords. This can be used to update the authentication cookie. Note that this call should *not* cause any change at all to user databases. For use by CMFCore.MembershipTool.credentialsChanged """ request = self.REQUEST response = request.RESPONSE login = name self.updateCredentials(request, response, login, new_password) PluggableAuthService.credentialsChanged = credentialsChanged PluggableAuthService.credentialsChanged__roles__ = PermissionRole(ManageUsers, ('Manager',))
check credentials from trusted code by calling the 'ZODBUserFolder' instance's 'authenticateCredentials()' method, passing in a dictionary containing 'login' and 'password' keys. zope mailing list - PAS & scripted auth by Tres Seaver
zodb_users = self.unrestrictedTraverse('/acl_users/zodb_users') creds = {'login': login_name, 'password': password} authenticated = zodb_users.authenticateCredentials(creds) if authenticated is None: # creds don't match show_error_message() else: userid, login = authenticated
Shibboleth
Enabling Access to Applications with Shibboleth: Adding Shibboleth Logins to the Plone CMS by Alan Brenner
collective.shibboleth Products.ShibbolethPermissions
UCLA Guideline: 安裝 WebServerAuth 修改 /etc/httpd/conf.d/ssl.conf X_REMOTE_USER 的 RequestHeader 設定值
@RequestHeader set X_REMOTE_USER %{SHIBUCLALOGONID}e @
Products.AutoRoleFromHostHeader: plugin based on Autorole fails for anonymous users
collective.googleauthenticator: Two-step verification for Plone 4 using the Google Authenticator app. collective.twofactor, collective.smsauthenticator: enable_two_factor_authentication
Nginx with Shibboleth (FastCGI authorizer) support
collective.castle: user interface for Products.CAS4PAS
http://tomster.org/geek/plonezope/importPASfromCSV.py/view http://plone.org/documentation/kb/debug-unauthorized