Ticket #10396 (closed PLIP: wontfix)
allow option for using SSL login in form POST
Reported by: | tkimnguyen | Owned by: | vangheem |
---|---|---|---|
Priority: | minor | Milestone: | Future |
Component: | General | Version: | |
Keywords: | Cc: | servilio, plip-advisories@… |
Description
Proposer: T. Kim Nguyen
Seconder: None as yet
Motivation
Out of the box, Plone posts login credentials non-securely over HTTP. This is fine in development but not in a serious production environment. It is possible to apply Apache rewrite rules to force SSL for login_form etc. as per http://plone.org/documentation/kb/apache-ssl but Plone itself should also have a setting that allows a site administrator to require it in the login_form etc. The bugs http://dev.plone.org/plone/ticket/4299 and http://dev.plone.org/plone/ticket/3034 are related but have been closed ("worksforme") despite there being an identified need from many years ago.
It's true that to have SSL logins, you have to work with Apache to set up SSL in the first place and so it is reasonable to say that to make Plone do the right SSL thing requires more Apache work. However in a large hosting environment where there are hundreds of Plone sites, it is not good to require that each site have several rewrite rules to support something that Plone can do with the right enhancements.
Assumptions
When the "Enable secure logins" checkbox is checked in the Security configlet, the login_form.cpt and the login.pt will both alter the form action URL by replacing ' http://' with ' https://' in the simplest case.
An additional use case is to have an additional string field in the Security configlet that allows an administrator to specify the URL the forms should use.
(Is there a need for regexps to indicate when SSL logins should not be forced? e.g. localhost, 127.0.0.1)
Proposal & Implementation
Addition of checkbox and URL string field to Security configlet.
Modification of login_form.cpt and login.pt.
Deliverables
What code and documentation needs to be produced? Standard items:
- Unit tests
- Localization
- Documentation
Risks
What are the risks of implementing this proposal? more choices the administrator will need to understand
What incompatibilities can it cause?
Participants
tkimnguyen (T. Kim Nguyen)
Progress
Part of this has been in production at UW Oshkosh for several years. Just need to implement the checkbox and string field in the Security configlet.
Change History
comment:2 Changed 6 years ago by vangheem
- Status changed from new to assigned
- Owner set to vangheem
- Milestone changed from Future to 4.1
comment:3 Changed 6 years ago by hannosch
- Component changed from Unknown to Infrastructure
Additional "risks": We need to find out how this affects other login systems, like OpenID, Single-Sign-On via auth_tkt cookies or authentication happening in a web server frontend or WSGI middleware.
comment:4 Changed 6 years ago by ldr
This is too risky to add to a Plone control panel as it makes it possible to lock yourself out of Plone without an easy way to recover. Instead there should be a property added to portal_properties for controlling the login form's action attribute. If this is set, it is used instead of the existing one. You can then set this to an https url should you so wish. (Approved by the framework team with this caveat.)
comment:5 Changed 6 years ago by esteele
Your PLIP has been accepted for consideration for Plone 4.1.
Framework Team voting on this PLIP was: Alec +1 Craig -1 Elizabeth +0 Laurence +1 Martijn +0 Matthew +1 Rob -1 Ross --
Please note Laurence's comment above for the Framework Team's recommended modifications to your proposal.
The initial implementation deadline for your PLIP is October 1st, 2010. The Framework Team would certainly appreciate you finishing beforehand so that they may begin evaluating it as soon as possible. Announce its readiness here once your implementation is ready for review.
comment:6 Changed 6 years ago by limi
Aren't we trying to get rid of portal_properties in favor of something like plone.app.registry? :)
In any case, it seems to me that this should be even lower in the config stack, probably an option in buildout.cfg to ensure it is on the same level as the setup of the web server. Just because it's hidden in the ZMI doesn't stop people from following a how-to online and locking themselves out of their site.
comment:7 Changed 6 years ago by hannosch
From what I understand this only applies to Plone's login form. So even if you lock yourself out, you can still access Plone using the basic authentication from the Zope root folder and thus disable the property again.
And for now adding things to portal_properties is the way to go. Migrating existing settings to plone.registry is a PLIP of its own.
comment:10 Changed 5 years ago by rossp
- Status changed from assigned to closed
- Resolution set to wontfix
PLEASE READ THIS AND RE-OPEN VALID PLIPS!
As we launch the new PLIP process we'd like to see which PLIPs:
- are still appropriate/needed
- still have owners/proposers/champions
- still have available implementers
If this PLIP should still be considered for future releases of Plone please do re-open this ticket and assign an appropriate milestone. If it should be considered for the next release of Plone, use the 4.2 milestone. Also be sure to update the PLIP description, requester, owner, etc. and include a comment detailing recent progress and new plans. We will use all these details in the new continuous PLIP process.
comment:11 Changed 5 years ago by ldr
I ended up implementing the option to set an external login url for Plone 4.1. It is now possible to set the external_login_url in site properties to the https version of your site. For details see: http://pypi.python.org/pypi/plone.session