A couple of questions have had answers suggesting making use of mod_auth_tkt to allow Plone 4 (Plone and Asp.Net Integration, Use Plone's authentication mechanism to login to other sites.) to authenticate other web applications, and since I have a couple of CGIs that already jump through h开发者_JS百科oops to authenticate via Plone, this seems ideal for my purpose. However, I can't seem to find much documentation about using mod_auth_tkt in general, and absolutely none about using it with Plone.
I have the following problems.
- mod_auth_tkt expects a shared "secret". mod_auth_tkt's examples show Apache getting this from a config file. Plone doesn't share its secrets - so how does Apache know that a given Plone cookie is a valid auth_tkt?
- what url would one use in the Apache config TKTAuthLoginURL? [I'm not sure that's vital, as, at the moment, I'm only really interested in ensuring that something is invoked from inside plone, rather than directly as a cgi]
- Apache expects the ticket cookie to be named via TKTAuthCookieName (default 'auth_tkt'). What does Plone call it? __ac?
The documentation on using mod_auth_tkt is a man page distributed with the source.
In answer to your specific questions:
- In /Plone/acl_users/session. On the Manage secrets tab set a shared secret. (This is described in the documentation for setting up a shared secret with an IIS login form.) You should set the same secret in the Apache config with the TKTAuthSecret directive. 
- For Plone 4.0 (or Plone 3.x with plone.session 3.x) use /Plone/login_form. For Plone 4.1 use /Plone/login, assuming that the Plone site is hosted at /Plone. Use /login_form or /login if it is hosted at the root. 
- Plone uses _ac by default, so use TKTAuthCookieName "_ac". (The cookie name Plone uses is set in the acl_users session settings and cookie authentication settings.) 
You might have to set TKTAuthBackArgName "came_from", though I think Plone will fallback to the referrer url so it may work without. And you will need to check the "Use mod_auth_tkt compatible hashing algorithm" option on the preferences tab of acl_users/session.
It turns out that there seems to be a conflict with pas.plugins.sqlalchemy. I've been investigating PPS, and while it doesn't seem that there should be any crossover, the site I was testing had PPS installed. When I switched to a site without PPS, setting the "secret" and the mod_auth_tkt flag had the desired effect. Since I seem to have fallen into the maintenance role for pas.plugins.sqlalchemy, I guess it's my problem :-)
Domo arigato, Mr. Rowe-boto!
 
         
                                         
                                         
                                         
                                        ![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif) 
                                         
                                         
                                         
                                         加载中,请稍侯......
 加载中,请稍侯......
      
精彩评论