[Setup] Setting up secure logins.

[David Murphy]

Hi folks. We're setting up Plone on an internet server, so we need logins to
be done securely (via SSL). I'm following the guide put out by Penn State
(https://weblion.psu.edu/trac/weblion/wiki/InstallPloneForProduction), which
has a lot of good information. I'm pretty much there, but I seem to be stuck
now.

I've configured the server to have Apache (2.2) redirect requests to Plone
(with RewriteRules). I've installed the WebServerAuth product to redirect
login traffic over https, and to have Plone accept Apache's authorizations.
Unfortunately, though I can log into the Plone site as the admin user (once
i created one on the web server), Plone doesn't seem to recognize it as a
privileged user, and I don't get a Site Setup link.

Having the web server handle authentication isn't actually the ideal setup
for us... since we don't have any centralized authentication system to hook
into, setting up users and changing passwords is very low-level and manual
(using Apache's Basic, file-based auth). In Penn State's documentation,
there's a blurb that reads:

"If you don't want to Delegate Authentication to Apache, you should still
use SSL to encrypt the transmission of passwords. To automatically redirect
your users to the HTTPS version of your site when they need to authenticate,
use Web Server Auth."

Unfortunately, I couldn't find any further information anywhere about how to
do this; that is, to have Plone handle the users but use WebServerAuth to
direct login traffic to https.

So if anyone has experience here, I could really use some assistance in
solving one of the two problems:

1. (preferable) Set up Plone to handle its own authentication, but do it
securely over https.
2. (otherwise) Get Plone to recognize a privileged user logged in via
Apache.

Thanks for any help.

-David Murphy
-- 
View this message in context: http://n2.nabble.com/Setting-up-secure-logins.-tp3232979p3232979.html
Sent from the Installation, Setup, Upgrades mailing list archive at Nabble.com.