Skip to content. | Skip to navigation

Personal tools


You are here: Home / Tips / Pluggable Authentication Service

Pluggable Authentication Service

Plone 使用 Pluggable Authentication Service (PAS) 機制來管理帳號,預設的模組軟體稱為 PlonePAS,而且能夠延伸使用 SQLPAS 之類的模組。

Zope 使用 hashlib.sha(password+salt).hexdigest() 來做加密,像 PostgreSQL 使用 MD5。

Products.PlonePAS 改版解決 use_uuid_as_userid 啟用時造成 @@change_password 失敗的問題。

scope manager oauth Products.OneTimeTokenPAS


Plone 3 __ac cookie and security by Nathm Van Gheem

deployment: 1. add pas.plugins.sqlalchemy to the eggs and zcml section in buildout.cfg 2. do not add collective.saconnect that seems no help 3. add definition to the instance section in buildout.cfg

zcml-additional =
  <configure xmlns=""
    <include package="z3c.saconfig" file="meta.zcml" />
    <db:engine xmlns=""
               url="mysql://user:password@host/database" />
    <db:session xmlns=""
                engine="pas" />

4. from the Plone control panel, add the PAS SQL Plugin product: this step should both connect to the database and create the database schema with empty tables 5. to activate the plugin, access the ZMI and navigate to the acl_users folder and the plugins sub-folder. Review each plugin-type and if an sql option is available, change its precedence to suit your purposes.

Provided you have set the precedence of sql in the User Adder plugins, you can add new users and they will be stored in your SQL database. Notice that the settings in zcml-additional apply throughout an instance. If you have several Plone instances within a single Zope instance, then each Plone instance with the PAS SQL Plugin activated will share the same user SQL database

Multiple Sites: Suppose you require a number of related sites all of which relate broadly to the same group of users:

  • Paid-up members or Active members: assigned as Members and possibly Contributors
  • Lapsed members: having a login but no role assignment
  • Various organisational sub-sets of members: assigned the various management roles of Editor, Reviewer, Manager, etc
  • Anonymous visitors: obviously have no login

In your sites, you want to allow members to be able to logon and authenticate themselves. Then depending on the site and the specific user, various roles can be assigned to allow access to different types of content. When deploying this plugin, user information is stored in the database but user and group permissions remains in Plone. Using this behaviour we can use group definitions to control who can do what in specific sites; all with a minimum of tweaking the Plone instances. First the minimal changes:

  • set sql to the top of all its relevant plugin types except for Group Management - we want Plone instances to drive this part of user management
  • set Intranet/Extranet Workflow as the default for each site
  • for the internally_published state, under the Permissions tab, switch on Authenticated permission for both view and access options (this is optional and depends what you want Lapsed Members to see)
  • activate the changes for the workflow
  • in each site, add a membership Group with a roles you want all Active members to have
  • for each site, add additional groups for any special subsets you may want setting roles as required
  • add members in one site assigning each to appropriate groups for that site in additional sites, add members to any groups peculiar to these individual sites

Having done all this, you should now get the following behaviour

  • Anonymous users: can only see Externally Published content
  • Lapsed Members: can also see Internally Published material if they are logged in
  • Active Members: can see all content except items marked as private and whatever additional roles you have assigned
  • Special Members: certain members will have greater access depending on the roles they have been assigned in each site

These behaviours are easily managed simply by adding users to one or more groups. Further, a new user only needs added in one site and usually Group membership can be assigned at that time (except for Groups which are specific to individual sites). Active Membership can also be controlled by an external application updating the SQL database independent of any Plone instance i.e. for lapsed members, remove their appropriate Group membership via the database. This procedure will affect all related sites immediately without having to do anything else.

新增 Group Deletion 通知的 Event 從群組 Group 移除 User 耗時過久的問題

collective.workspace 應用範例

pas.plugins.sqlalchemy 帳號數量過大時的挑戰

關閉 acl_users PAS auth plugin 達到使用者暫時無法登入的效果

custom facebook integration with separate PAS plugin




class BaseRegistrationForm(PageForm)

        # passwords should match
        if 'password' in form_field_names:
            assert('password_ctl' in form_field_names)
            # Skip this check if password fields already have an error
            if not ('password' in error_keys or \
                    'password_ctl' in error_keys):
                password = self.widgets['password'].getInputValue()
                password_ctl = self.widgets['password_ctl'].getInputValue()
                if password != password_ctl:
                    err_str = _(u'Passwords do not match.')
                                  u'label_password', err_str))
                                  u'label_password', err_str))
                    self.widgets['password'].error = err_str
                    self.widgets['password_ctl'].error = err_str


def _doAddUser(self, login, password, roles, domains, groups=None, **kw ):
    """Masking of PAS._doAddUser to add groups param."""
    retval = _old_doAddUser(self, login, password, roles, domains)
    if groups is not None:
        self.userSetGroups(login, groups)
    return retval
def credentialsChanged(self, user, name, new_password):
    """Notifies the authentication mechanism that this user has changed
    passwords.  This can be used to update the authentication cookie.
    Note that this call should *not* cause any change at all to user

    For use by CMFCore.MembershipTool.credentialsChanged
    request = self.REQUEST
    response = request.RESPONSE
    login = name

    self.updateCredentials(request, response, login, new_password)
PluggableAuthService.credentialsChanged = credentialsChanged
PluggableAuthService.credentialsChanged__roles__ = PermissionRole(ManageUsers, ('Manager',))

check credentials from trusted code by calling the 'ZODBUserFolder' instance's 'authenticateCredentials()' method, passing in a dictionary containing 'login' and 'password' keys. zope mailing list - PAS & scripted auth by Tres Seaver

   zodb_users = self.unrestrictedTraverse('/acl_users/zodb_users')
   creds = {'login': login_name, 'password': password}
   authenticated = zodb_users.authenticateCredentials(creds)

   if authenticated is None:  # creds don't match
      userid, login = authenticated


Enabling Access to Applications with Shibboleth: Adding Shibboleth Logins to the Plone CMS by Alan Brenner

collective.shibboleth Products.ShibbolethPermissions

UCLA Guideline: 安裝 WebServerAuth 修改 /etc/httpd/conf.d/ssl.conf X_REMOTE_USER 的 RequestHeader 設定值



Products.AutoRoleFromHostHeader: plugin based on Autorole fails for anonymous users

collective.googleauthenticator: Two-step verification for Plone 4 using the Google Authenticator app. collective.twofactor, collective.smsauthenticator: enable_two_factor_authentication

Nginx with Shibboleth (FastCGI authorizer) support

collective.castle: user interface for Products.CAS4PAS